change session id generator to normal string based generator

Author: Yani

src/Config.php

@@ -121,9 +121,9 @@ public function getSidPrefix(): string
 
     public function setSidLength(int $sid_length): self
     {
-        if ($sid_length < 22 || $sid_length > 256) {
+        if ($sid_length < 32 || $sid_length > 256) {
             throw new InvalidArgumentException(
-                '$sid_length must be at least 22 and not greater than 256'
+                'sid_length must be at least 32 and not greater than 256'
             );
         }
 
@@ -136,28 +136,17 @@ public function getSidLength(): int
         return $this->sid_length;
     }
 
-    protected int $sid_bits_per_character = 4;
+    protected string $sid_charset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
 
-    public function setSidBitsPerCharacter(int $sid_bits_per_character): self
+    public function setSidCharset(string $sid_charset): self
     {
-        if ($sid_bits_per_character < 4 || $sid_bits_per_character > 6) {
-            throw new InvalidArgumentException(
-                '$sid_bits_per_character must be at least 4 and not greater than than 6'
-            );
-        }
-
-        $this->sid_bits_per_character = $sid_bits_per_character;
-
-        if ($sid_bits_per_character >= 5 && $this->sid_length < 26) {
-            $this->setSidLength(26);
-        }
-
+        $this->sid_charset = $sid_charset;
         return $this;
     }
 
-    public function getSidBitsPerCharacter(): int
+    public function getSidCharset(): string
     {
-        return $this->sid_bits_per_character;
+        return $this->sid_charset;
     }
 
     protected bool $lazy_write = true;

src/Factory.php

@@ -131,11 +131,11 @@ public function configFromArray(array $settings): Config
             $config->setSidLength($settings['sid_length']);
         }
 
-        if (isset($settings['sid_bits_per_character'])) {
-            if (!is_int($settings['sid_bits_per_character'])) {
-                throw new InvalidArgumentException('sid_bits_per_character must be an integer');
+        if (isset($settings['sid_charset'])) {
+            if (!is_string($settings['sid_charset'])) {
+                throw new InvalidArgumentException('sid_charset must be a string');
             }
-            $config->setSidBitsPerCharacter($settings['sid_bits_per_character']);
+            $config->setSidCharset($settings['sid_charset']);
         }
 
         if (isset($settings['lazy_write'])) {
@@ -203,10 +203,6 @@ public function configFromSystem(): Config
             $config->setSidLength((int) ini_get('session.sid_length'));
         }
 
-        if (ini_get('session.sid_bits_per_character') !== false) {
-            $config->setSidBitsPerCharacter((int) ini_get('session.sid_bits_per_character'));
-        }
-
         $config->setLazyWrite((bool) ini_get('session.lazy_write'));
 
         return $config;

src/SessionId.php

@@ -22,74 +22,29 @@ public function __toString(): string
 
     public function create_sid(): string
     {
-        $prefix = $this->config->getSidPrefix();
-        $desiredOutputLength = $this->config->getSidLength() - strlen($prefix);
-        $bitsPerCharacter = $this->config->getSidBitsPerCharacter();
+        $length  = $this->config->getSidLength();
+        $charset = $this->config->getSidCharset();
+        $prefix  = $this->config->getSidPrefix();
 
-        $bytesNeeded = (int) ceil($desiredOutputLength * $bitsPerCharacter / 8);
-        $randomInputBytes = random_bytes(max(1, $bytesNeeded));
+        $lengthWithoutPrefix = $length - \strlen($prefix);
 
-        // The below is translated from function bin_to_readable in the PHP source
-        // (ext/session/session.c)
-        static $hexconvtab = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-';
-
-        $out = '';
-
-        $p = 0;
-        $q = strlen($randomInputBytes);
-        $w = 0;
-        $have = 0;
-
-        $mask = (1 << $bitsPerCharacter) - 1;
-
-        $charsRemaining = $desiredOutputLength;
-        while ($charsRemaining--) {
-            if ($have < $bitsPerCharacter) {
-                if ($p < $q) {
-                    $byte = ord($randomInputBytes[$p++]);
-                    $w |= ($byte << $have);
-                    $have += 8;
-                } else {
-                    // Should never happen. Input must be large enough.
-                    break;
-                }
-            }
-
-            // consume $bitsPerCharacter bits
-            $out .= $hexconvtab[$w & $mask];
-            $w >>= $bitsPerCharacter;
-            $have -= $bitsPerCharacter;
+        $pieces = [];
+        $max    = \strlen($charset) - 1;
+        for ($i = 0; $i < $lengthWithoutPrefix; ++$i) {
+            $pieces [] = $charset[\random_int(0, $max)];
         }
 
-        return $prefix . $out;
+        return $prefix . \implode('', $pieces);
     }
 
     public function validate_sid(string $id): bool
     {
-        if (strlen($id) !== $this->config->getSidLength()) {
+        if (\strlen($id) !== $this->config->getSidLength()) {
             return false;
         }
 
-        // Prefix might not validate under the rules for bits=4 or bits=5
-        $prefix = $this->config->getSidPrefix();
-        if ($prefix) {
-            $id = substr($id, strlen($prefix));
-        }
-
-        switch ($this->config->getSidBitsPerCharacter()) {
-            case 4:
-                // 0123456789abcdef
-                return preg_match('/^[0-9a-f]+$/', $id) === 1;
-
-            case 5:
-                // 0123456789abcdefghijklmnopqrstuv
-                return preg_match('/^[0-9a-v]+$/', $id) === 1;
-
-            case 6:
-                // 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-
-                return preg_match('/^[0-9a-zA-Z,-]+$/', $id) === 1;
-        }
+        $pregSafeString = \preg_quote($this->config->getSidCharset(), '/');
 
-        return false;
+        return \preg_match('/^[' . $pregSafeString . ']+$/', $id) === 1;
     }
 }