Curious Session Behaviour (filename string length)

Question

I noticed today that in my session files for a site, there are a few files with file names that are significantly smaller than the rest, example:

Standard Session File:

  sess_0020cc255681808f78c08b67cd88cbcea13f45ee7629754ed82ccb8b010cf83d2b353b7136847f2876d99f3297a5def5bcc62b433d6d56d7f1b301f82c833aad

(5 + 128 character file length)

Exceptional Session File:

  sess_629aca24e094f17d02b3d105ebe9e5d4

(5 + 32 character file length)

This site is very busy and has a Lot of traffic (~22k visitors pcm), viewing the session folder there are ~1% (actually 0.92%) of these very short named session files.

I have in the past read up a lot on sessions before implementing this site redesign last year (2015) and from that, currently have in my php.ini:

session.cookie_httponly=1
session.use_only_cookies=1
session.cookie_secure=1
session.entropy_file=/dev/urandom
session.hash_function=whirlpool
session.session.use_trans_sid=0
session.entropy_length=32

EDIT (additionals):

session.hash_bits_per_character = 4

session.sid_length is undefined (undefinable) as this build is using PHP 5.6.2

Which, as far as I know, should be generally fine. I have read very few other topics about how to ensure minimum file length, although I have read various thing about using session.entropy_length but this doesn't seem to obviously apply to this issue.

The entropy_length value is the only one I'm not certain of its use and need.

My Questions

• What causes 1% of sessions to be only 5 + 32 characters long?
• How do I set it so that all sessions are the same length (5 + 128 chrs)

I realise the below question I can try it and see as it causes no harm, but if the above solution is the intended use for session.entropy_length , that would be useful to know. There seems little literature around about what entropy_length is actually -practically- for.

• Will increasing the session entropy length value improve this? [NO]

I think there can currently be a small potential issue with session name collision, and it looks frankly wrong how so many session files are so wonderfully long but a notable minority are relatively tiny.

Updates

From comments there are some details that it may be worth me summarising here:

• The issue is not with my browser(!!)
• This is using PHP Version 5.6.2
• LAMP stack on a [single] WHM server.
• If PHP-cli is run it could/would only be run by the server hosts, although I really doubt they're running it. I know them well and am a decent client so....
• I have checked and confirmed that the website htaccess files are not making any changes to any aspect of PHP
• The server runs with very few error logs (I have 14 errors from the last week, from 9k visits, errors all 404s from robot scrapers trying to hack into Wordpress [the site is not wordpress].)
• PHP is run through suPHP (version unknown at present), I'm also looking at updating suphp but I doubt this would directly relate to this issue.
• From Ryan Vincents suggestion I will setup a notification when a shorter than 128chr session is made (and hopefully from which address)
• The session file storage folder is defined in PHP.ini and so if an outside PHP.ini is used then I'd expect sessions to appear in other folders such as /temp.

Answer 1

This will most likely be hackers/hack attempts if you have a site as popular as you describe. Hackers will be hitting the site quite regularly and using captured or (in this case) spoofed session IDs, and they will spoof in the normal 32-byte hex.

If you modify the cookie "PHPSESSID" to contain any text at all, PHP picks it up and creates a session with that ID, and a corresponding sess_[sessionId] file. From my testing (and you can try it yourself) PHP will use any length of ID and accept it and use it, regardless of the ini settings.

The good news is that if you do a session_id() then it will return the spoofed ID so you can then

• deny
• honey-pot, or
• recreate with a valid session

BUT this won't stop the session file being created.

Alternatively create your own session handling system and avoid session_start(); then you can manually validate the session_id format before using.

Answer 2

In php.ini file, you can check hash algo

; Select a hash function for use in generating session ids.
; Possible Values
;   0  (MD5 128 bits)
;   1  (SHA-1 160 bits)
; This option may also be set to the name of any hash function supported by
; the hash extension. A list of available hashes is returned by the hash_algos()
; function.
; http://php.net/session.hash-function
session.hash_function = 0

Now check in http://php.net/manual/en/function.hash-algos.php, it provides index of use different kind of algorithms

For make 5 + 128 character long you can use sha512 or whirlpool algorith for generate Session Id. Check length of hash method http://php.net/manual/en/function.hash.php

So session file name should be sess_ + session_id

So in your php.ini you can set

session.hash_function = whirlpool
session.hash_function = sha512

or in PHP you can set dynamically before start_session() function

ini_set('session.hash_function', 'whirlpool');
ini_set('session.hash_function', 'sha512');

I have tested with ini_set() function, it works fine for me and generate session file 5+128 character.

My PHP file code

<?php
ini_set('session.hash_function', 'whirlpool');
session_start();
echo "Session ID: " . session_id();

Output:

Session ID: 0216691c286f2023c6bad823952bcfbdd1cb51980e1981afa28418e887209dcfae3443dc3b59ecaf6201c5d1ea18cd4eb8810de69668a5a366e3c98396ca3786

Screenshot of generated file