session support

25 files changed, 819 insertions, 11 deletions

diff --git a/config.m4 b/config.m4
index 9cb8969..a6dade9 100644
--- a/config.m4
+++ b/config.m4
@@ -5,7 +5,7 @@ PHP_ARG_ENABLE(suhosin7, whether to enable suhosin support,
 [  --enable-suhosin7        Enable suhosin support])
 
 if test "$PHP_SUHOSIN7" != "no"; then
-        PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c execute_ih.c execute_rnd.c crypt.c cookiecrypt.c header.c, $ext_shared,, [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1])
+        PHP_NEW_EXTENSION(suhosin7, suhosin7.c ifilter.c memory_limit.c aes.c treat_data.c log.c execute.c execute_ih.c execute_rnd.c crypt.c cookiecrypt.c header.c session.c, $ext_shared,, [-DZEND_ENABLE_STATIC_TSRMLS_CACHE=1])
         PHP_ADD_EXTENSION_DEP(suhosin7, hash)
         echo "===== WARNING ============================================"
         echo "  Suhosin7 for PHP 7 is in alpha stage at the moment and"
diff --git a/cookiecrypt.c b/cookiecrypt.c
index 70b0c5a..f4f3638 100644
--- a/cookiecrypt.c
+++ b/cookiecrypt.c
@@ -106,8 +106,9 @@ char *suhosin_cookie_decryptor(char *raw_cookie)
         // int j;
         char cryptkey[33];
 
-        suhosin_generate_key(SUHOSIN7_G(cookie_cryptkey), SUHOSIN7_G(cookie_cryptua), SUHOSIN7_G(cookie_cryptdocroot), SUHOSIN7_G(cookie_cryptraddr), cryptkey);
-        SDEBUG("cryptkey=%02x.%02x.%02x", cryptkey[0], cryptkey[1], cryptkey[2]);
+        // suhosin_generate_key(SUHOSIN7_G(cookie_cryptkey), SUHOSIN7_G(cookie_cryptua), SUHOSIN7_G(cookie_cryptdocroot), SUHOSIN7_G(cookie_cryptraddr), cryptkey);
+        S7_GENERATE_KEY(cookie, cryptkey);
+        // SDEBUG("cryptkey=%02x.%02x.%02x", cryptkey[0], cryptkey[1], cryptkey[2]);
         
         ret = decrypted = emalloc(strlen(raw_cookie)*4+1);
         raw_cookie = estrdup(raw_cookie);
diff --git a/header.c b/header.c
index a916746..b7ce010 100644
--- a/header.c
+++ b/header.c
@@ -75,7 +75,7 @@ static int suhosin_header_handler(sapi_header_struct *sapi_header, sapi_header_o
                 int nlen, vlen, len, tlen;
                 char cryptkey[33];
 
-                suhosin_generate_key(SUHOSIN7_G(cookie_cryptkey), SUHOSIN7_G(cookie_cryptua), SUHOSIN7_G(cookie_cryptdocroot), SUHOSIN7_G(cookie_cryptraddr), (char *)cryptkey);
+                S7_GENERATE_KEY(cookie, cryptkey);
                 start = estrndup(sapi_header->header, sapi_header->header_len);
                 rend = end = start + sapi_header->header_len;
 
diff --git a/php_suhosin7.h b/php_suhosin7.h
index cbde402..75244fe 100644
--- a/php_suhosin7.h
+++ b/php_suhosin7.h
@@ -71,6 +71,9 @@ extern zend_module_entry suhosin7_module_entry;
 // PHP_MINFO_FUNCTION(suhosin);
 
 #include "ext/standard/basic_functions.h"
+#ifdef HAVE_PHP_SESSION
+#include "ext/session/php_session.h"
+#endif
 
 static inline int suhosin_is_protected_varname(char *var, int var_len)
 {
@@ -219,6 +222,15 @@ ZEND_BEGIN_MODULE_GLOBALS(suhosin7)
         zend_bool  no_more_cookie_variables;
         zend_bool  no_more_uploads;
 
+        /*      session */
+#ifdef HAVE_PHP_SESSION
+        void *s_module;
+        void *s_original_mod;
+        int (*old_s_read)(PS_READ_ARGS);
+        int (*old_s_write)(PS_WRITE_ARGS);
+        int (*old_s_destroy)(PS_DESTROY_ARGS);
+#endif
+
         /* encryption */
         BYTE fi[24],ri[24];
         WORD fkey[120];
@@ -377,6 +389,9 @@ void suhosin_hook_header_handler();
 void suhosin_unhook_header_handler();
 void suhosin_hook_execute();
 // void suhosin_hook_sha256();
+#ifdef HAVE_PHP_SESSION
+void suhosin_hook_session();
+#endif
 
 // ifilter.c
 void suhosin_normalize_varname(char *varname);
@@ -390,6 +405,7 @@ char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int v
 zend_string *suhosin_encrypt_string(char *str, int len, char *var, int vlen, char *key);
 zend_string *suhosin_decrypt_string(char *str, int padded_len, char *var, int vlen, char *key, int check_ra);
 char *suhosin_generate_key(char *key, zend_bool ua, zend_bool dr, long raddr, char *cryptkey);
+#define S7_GENERATE_KEY(type, keyvar) suhosin_generate_key(SUHOSIN7_G(type ## _cryptkey), SUHOSIN7_G(type ## _cryptua), SUHOSIN7_G(type ## _cryptdocroot), SUHOSIN7_G(type ## _cryptraddr), (char *)keyvar);
 
 // aes.c
 void suhosin_aes_gentables();
diff --git a/session.c b/session.c
new file mode 100644
index 0000000..ad114d4
--- /dev/null
+++ b/session.c
@@ -0,0 +1,309 @@
+/*
+  +----------------------------------------------------------------------+
+  | Suhosin Version 1                                                    |
+  +----------------------------------------------------------------------+
+  | Copyright (c) 2006-2007 The Hardened-PHP Project                     |
+  | Copyright (c) 2007-2016 SektionEins GmbH                             |
+  +----------------------------------------------------------------------+
+  | This source file is subject to version 3.01 of the PHP license,      |
+  | that is bundled with this package in the file LICENSE, and is        |
+  | available through the world-wide-web at the following url:           |
+  | http://www.php.net/license/3_01.txt                                  |
+  | If you did not receive a copy of the PHP license and are unable to   |
+  | obtain it through the world-wide-web, please send a note to          |
+  | license@php.net so we can mail you a copy immediately.               |
+  +----------------------------------------------------------------------+
+  | Authors: Stefan Esser <sesser@sektioneins.de>                        |
+  |          Ben Fuhrmannek <ben.fuhrmannek@sektioneins.de>              |
+  +----------------------------------------------------------------------+
+*/
+/*
+  $Id: session.c,v 1.1.1.1 2007-11-28 01:15:35 sesser Exp $ 
+*/
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include "php.h"
+#include "SAPI.h"
+#include "php_ini.h"
+#include "zend_smart_str.h"
+#include "ext/standard/php_var.h"
+#include <fcntl.h>
+
+#include "php_suhosin7.h"
+
+#include "ext/hash/php_hash.h"
+
+#ifdef HAVE_PHP_SESSION
+#include "ext/session/php_session.h"
+
+#ifdef ZTS
+static ts_rsrc_id session_globals_id = 0;
+#define SESSION_G(v) ZEND_TSRMG(session_globals_id, php_ps_globals *, v)
+# ifdef COMPILE_DL_SESSION
+ZEND_TSRMLS_CACHE_EXTERN();
+# endif
+#else
+static php_ps_globals *session_globals = NULL;
+#define SESSION_G(v) (ps_globals.v)
+#endif
+
+#define COND_DUMB_SH key == NULL || ZSTR_LEN(key) == 0 || ZSTR_VAL(key)[0] == 0 \
+        || ZSTR_LEN(key) > SUHOSIN7_G(session_max_id_length) \
+        || ((mod_data == NULL || *mod_data == NULL) && !SESSION_G(mod_user_implemented))
+
+static void suhosin_send_cookie()
+{
+        int  * session_send_cookie = &SESSION_G(send_cookie);
+        char * base;
+        zend_ini_entry *ini_entry;
+        
+        /* The following is requires to be 100% compatible to PHP 
+           versions where the hash extension is not available by default */
+        if ((ini_entry = zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("session.hash_bits_per_character"))) != NULL) {
+#ifndef ZTS
+                base = (char *) ini_entry->mh_arg2;
+#else
+                base = (char *) ts_resource(*((int *) ini_entry->mh_arg2));
+#endif
+                session_send_cookie = (int *) (base+(size_t) ini_entry->mh_arg1+sizeof(long));
+        }
+        *session_send_cookie = 1;
+}
+
+
+
+static ZEND_INI_MH((*old_OnUpdateSaveHandler)) = NULL;
+static int (*old_SessionRINIT)(INIT_FUNC_ARGS) = NULL;
+
+static int suhosin_hook_s_read(PS_READ_ARGS)
+{
+        zend_string *new_key = key;
+        
+        /* protect session vars */
+/*  if (SESSION_G(http_session_vars) && SESSION_G(http_session_vars)->type == IS_ARRAY) {
+                SESSION_G(http_session_vars)->refcount++;
+        }*/
+        
+        /* protect dumb session handlers */
+        if (COND_DUMB_SH) {
+regenerate:
+                SDEBUG("regenerating key. old key was %s", key ? ZSTR_VAL(key) : "<NULL>");
+                zend_string_release(SESSION_G(id));
+                new_key = SESSION_G(id) = SESSION_G(mod)->s_create_sid(&SESSION_G(mod_data));
+                suhosin_send_cookie();
+        } else if (ZSTR_LEN(key) > SUHOSIN7_G(session_max_id_length)) {
+                suhosin_log(S_SESSION, "session id ('%s') exceeds maximum length - regenerating", ZSTR_VAL(key));
+                if (!SUHOSIN7_G(simulation)) {
+                        goto regenerate;
+                }
+        }
+
+        int r = SUHOSIN7_G(old_s_read)(mod_data, new_key, val, maxlifetime);
+
+        if (r == SUCCESS && SUHOSIN7_G(session_encrypt) && val != NULL && *val != NULL && ZSTR_LEN(*val)) {
+                char cryptkey[33];
+        
+                // SUHOSIN7_G(do_not_scan) = 1;
+                S7_GENERATE_KEY(session, cryptkey);
+                
+                zend_string *orig_val = *val;
+                *val = suhosin_decrypt_string(ZSTR_VAL(*val), ZSTR_LEN(*val), "", 0, (char *)cryptkey, SUHOSIN7_G(session_checkraddr));
+                // SUHOSIN7_G(do_not_scan) = 0;
+                if (*val == NULL) {
+                        *val = ZSTR_EMPTY_ALLOC();
+                }
+                zend_string_release(orig_val);
+        }
+        
+        return r;
+}
+
+static int suhosin_hook_s_write(PS_WRITE_ARGS)
+{
+        /* protect dumb session handlers */
+        if (COND_DUMB_SH) {
+                return FAILURE;
+        }
+
+        if (ZSTR_LEN(val) > 0 && SUHOSIN7_G(session_encrypt)) {
+                char cryptkey[33];
+                // SUHOSIN7_G(do_not_scan) = 1;
+                S7_GENERATE_KEY(session, cryptkey);
+                
+                zend_string *v = suhosin_encrypt_string(ZSTR_VAL(val), ZSTR_LEN(val), "", 0, cryptkey);
+
+                // SUHOSIN7_G(do_not_scan) = 0;
+                return SUHOSIN7_G(old_s_write)(mod_data, key, v, maxlifetime);
+        }
+
+        return SUHOSIN7_G(old_s_write)(mod_data, key, val, maxlifetime);
+        
+// return_write:
+        /* protect session vars */
+/*  if (SESSION_G(http_session_vars) && SESSION_G(http_session_vars)->type == IS_ARRAY) {
+                if (SESSION_G(http_session_vars)->refcount==1) {
+                        nullify = 1;
+                }
+                zval_ptr_dtor(&SESSION_G(http_session_vars));
+                if (nullify) {
+                        suhosin_log(S_SESSION, "possible session variables double free attack stopped");
+                        SESSION_G(http_session_vars) = NULL;
+                }
+        }*/
+
+        // return r;
+}
+
+static int suhosin_hook_s_destroy(PS_DESTROY_ARGS)
+{
+        /* protect dumb session handlers */
+        if (COND_DUMB_SH) {
+                return FAILURE;
+        }
+        
+        return SUHOSIN7_G(old_s_destroy)(mod_data, key);
+}
+
+static void suhosin_hook_session_module()
+{
+        ps_module *old_mod = SESSION_G(mod);
+        ps_module *mod;
+        
+        if (old_mod == NULL || SUHOSIN7_G(s_module) == old_mod) {
+                return;
+        }
+
+        if (SUHOSIN7_G(s_module) == NULL) {
+                SUHOSIN7_G(s_module) = mod = malloc(sizeof(ps_module));
+                if (mod == NULL) {
+                        return;
+                }
+        }
+        
+        SUHOSIN7_G(s_original_mod) = old_mod;
+        
+        mod = SUHOSIN7_G(s_module);
+        memcpy(mod, old_mod, sizeof(ps_module));
+        
+        SUHOSIN7_G(old_s_read) = mod->s_read;
+        mod->s_read = suhosin_hook_s_read;
+        SUHOSIN7_G(old_s_write) = mod->s_write;
+        mod->s_write = suhosin_hook_s_write;
+        SUHOSIN7_G(old_s_destroy) = mod->s_destroy;
+        mod->s_destroy = suhosin_hook_s_destroy;
+        
+        SESSION_G(mod) = mod;
+}
+
+static PHP_INI_MH(suhosin_OnUpdateSaveHandler)
+{
+        if (stage == PHP_INI_STAGE_RUNTIME
+                && SESSION_G(session_status) == php_session_none
+                && SUHOSIN7_G(s_original_mod)
+                && zend_string_equals_literal(new_value, "user") == 0
+                && strcmp(((ps_module*)SUHOSIN7_G(s_original_mod))->s_name, "user") == 0) {
+                return SUCCESS;
+        }
+
+        SESSION_G(mod) = SUHOSIN7_G(s_original_mod);
+
+        int r = old_OnUpdateSaveHandler(entry, new_value, mh_arg1, mh_arg2, mh_arg3, stage);
+        
+        suhosin_hook_session_module();
+
+        return r;
+}
+
+
+static int suhosin_hook_session_RINIT(INIT_FUNC_ARGS)
+{
+        if (SESSION_G(mod) == NULL) {
+                zend_ini_entry *ini_entry;
+                if ((ini_entry = zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("session.save_handler")))) {
+                        if (ini_entry->value) {
+                                suhosin_OnUpdateSaveHandler(NULL, ini_entry->value, NULL, NULL, NULL, 0);
+                        }
+                }
+        }
+        return old_SessionRINIT(INIT_FUNC_ARGS_PASSTHRU);
+}
+
+void suhosin_hook_session()
+{
+        zend_module_entry *module;
+        
+        if ((module = zend_hash_str_find_ptr(&module_registry, ZEND_STRL("session"))) == NULL) {
+                return;
+        }
+        /* retrieve globals from module entry struct if possible */
+#ifdef ZTS
+        if (session_globals_id == 0) {
+        session_globals_id = *module->globals_id_ptr;
+        }
+#else
+        if (session_globals == NULL) {
+        session_globals = module->globals_ptr;
+        }
+#endif
+        
+        if (old_OnUpdateSaveHandler != NULL) {
+                return;
+        }
+        
+        /* hook request startup function of session module */
+        old_SessionRINIT = module->request_startup_func;
+        module->request_startup_func = suhosin_hook_session_RINIT;
+        
+        /* retrieve pointer to session.save_handler ini entry */
+        zend_ini_entry *ini_entry;
+        if ((ini_entry = zend_hash_str_find_ptr(EG(ini_directives), ZEND_STRL("session.save_handler"))) != NULL) {
+                /* replace OnUpdateMemoryLimit handler */
+                old_OnUpdateSaveHandler = ini_entry->on_modify;
+                ini_entry->on_modify = suhosin_OnUpdateSaveHandler;
+        }
+        SUHOSIN7_G(s_module) = NULL;
+
+        suhosin_hook_session_module();
+
+#if HAVE_DEV_URANDOM
+        /* increase session identifier entropy */
+        if (SESSION_G(entropy_length) == 0 || SESSION_G(entropy_file) == NULL) {
+                        SESSION_G(entropy_length) = 16;
+                        SESSION_G(entropy_file) = pestrdup("/dev/urandom", 1);
+        }
+#endif
+}
+
+// void suhosin_unhook_session()
+// {
+//      if (old_OnUpdateSaveHandler == NULL) {
+//              return;
+//      }
+//              
+//      /* retrieve pointer to session.save_handler ini entry */
+//      zend_ini_entry *ini_entry;
+//      if ((ini_entry = zend_hash_find(EG(ini_directives), ZEND_STRL("session.save_handler"))) == NULL) {
+//              return;
+//      }
+//      ini_entry->on_modify = old_OnUpdateSaveHandler;
+//      old_OnUpdateSaveHandler = NULL; 
+// }
+
+#else /* HAVE_PHP_SESSION */
+
+#warning BUILDING SUHOSIN WITHOUT SESSION SUPPORT
+
+#endif /* HAVE_PHP_SESSION */
+
+
+/*
+ * Local variables:
+ * tab-width: 4
+ * c-basic-offset: 4
+ * End:
+ * vim600: sw=4 ts=4 fdm=marker
+ * vim<600: sw=4 ts=4
+ */
diff --git a/suhosin7.c b/suhosin7.c
index 7986f2a..6d6655a 100644
--- a/suhosin7.c
+++ b/suhosin7.c
@@ -377,13 +377,13 @@ PHP_INI_BEGIN()
         // STD_S7_INI_ENTRY("suhosin.sql.union", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateSQLLong, sql_union)
 
 #ifdef HAVE_PHP_SESSION
-        // STD_S7_INI_BOOLEAN("suhosin.session.encrypt",                "1",            PHP_INI_PERDIR|PHP_INI_SYSTEM,  OnUpdateMiscBool, session_encrypt)
+        STD_S7_INI_BOOLEAN("suhosin.session.encrypt", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM,       OnUpdateMiscBool, session_encrypt)
         STD_S7_INI_ENTRY("suhosin.session.cryptkey", "", PHP_INI_ALL, OnUpdateMiscString, session_cryptkey)
-        // STD_S7_INI_BOOLEAN("suhosin.session.cryptua",                "0",            PHP_INI_PERDIR|PHP_INI_SYSTEM,  OnUpdateMiscBool, session_cryptua)
-        // STD_S7_INI_BOOLEAN("suhosin.session.cryptdocroot",           "1",            PHP_INI_PERDIR|PHP_INI_SYSTEM,  OnUpdateMiscBool, session_cryptdocroot)
-        // STD_S7_INI_ENTRY("suhosin.session.cryptraddr", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscLong, session_cryptraddr)     
-        // STD_S7_INI_ENTRY("suhosin.session.checkraddr", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscLong, session_checkraddr)     
-        // STD_S7_INI_ENTRY("suhosin.session.max_id_length", "128", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscLong, session_max_id_length)
+        STD_S7_INI_BOOLEAN("suhosin.session.cryptua", "0", PHP_INI_PERDIR|PHP_INI_SYSTEM,       OnUpdateMiscBool, session_cryptua)
+        STD_S7_INI_BOOLEAN("suhosin.session.cryptdocroot", "1", PHP_INI_PERDIR|PHP_INI_SYSTEM,  OnUpdateMiscBool, session_cryptdocroot)
+        STD_S7_INI_ENTRY("suhosin.session.cryptraddr", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscLong, session_cryptraddr)
+        STD_S7_INI_ENTRY("suhosin.session.checkraddr", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscLong, session_checkraddr)
+        STD_S7_INI_ENTRY("suhosin.session.max_id_length", "128", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateMiscLong, session_max_id_length)
 #else /* HAVE_PHP_SESSION */
 #warning BUILDING SUHOSIN WITHOUT SESSION SUPPORT. THIS IS A BAD IDEA!
 #ifndef SUHOSIN_WITHOUT_SESSION
@@ -518,9 +518,11 @@ PHP_MINIT_FUNCTION(suhosin7)
         suhosin_hook_register_server_variables();
         suhosin_hook_header_handler();
         suhosin_hook_execute();
-
         suhosin_hook_memory_limit();
         // suhosin_hook_sha256();
+#ifdef HAVE_PHP_SESSION
+        suhosin_hook_session();
+#endif
 
         return SUCCESS;
 }
diff --git a/tests/session/PHPSESSID_max_id_length_ok.phpt b/tests/session/PHPSESSID_max_id_length_ok.phpt
new file mode 100644
index 0000000..2673d08
--- /dev/null
+++ b/tests/session/PHPSESSID_max_id_length_ok.phpt
@@ -0,0 +1,16 @@
+--TEST--
+PHPSESSID session id not too long
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.max_id_length=32
+session.hash_bits_per_character=4
+--COOKIE--
+PHPSESSID=12345678901234567890123456789012;
+--FILE--
+<?php
+session_start();
+echo session_id();
+?>
+--EXPECTF--
+12345678901234567890123456789012
\ No newline at end of file
diff --git a/tests/session/PHPSESSID_max_id_length_toolong.phpt b/tests/session/PHPSESSID_max_id_length_toolong.phpt
new file mode 100644
index 0000000..6bd71fb
--- /dev/null
+++ b/tests/session/PHPSESSID_max_id_length_toolong.phpt
@@ -0,0 +1,16 @@
+--TEST--
+PHPSESSID session id too long
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.max_id_length=32
+session.hash_bits_per_character=4
+--COOKIE--
+PHPSESSID=123456789012345678901234567890123;
+--FILE--
+<?php
+session_start();
+echo strlen(session_id());
+?>
+--EXPECTF--
+32
\ No newline at end of file
diff --git a/tests/session/crypt.checkraddr_4.phpt b/tests/session/crypt.checkraddr_4.phpt
new file mode 100644
index 0000000..42ac96a
--- /dev/null
+++ b/tests/session/crypt.checkraddr_4.phpt
@@ -0,0 +1,29 @@
+--TEST--
+session encryption with checkraddr=4
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+PHPSESSID=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=4
+--FILE--
+<?php
+include "sessionhandler.inc";
+
+session_test_start(new RemoteAddrSessionHandler());
+var_dump($_SESSION);
+
+?>
+--EXPECTF--
+array(1) {
+  ["a"]=>
+  string(1) "b"
+}
diff --git a/tests/session/crypt.checkraddr_4_incorrect.phpt b/tests/session/crypt.checkraddr_4_incorrect.phpt
new file mode 100644
index 0000000..cc468b8
--- /dev/null
+++ b/tests/session/crypt.checkraddr_4_incorrect.phpt
@@ -0,0 +1,27 @@
+--TEST--
+session encryption with checkraddr=4 and incorrect REMOTE_ADDR
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.2
+PHPSESSID=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=4
+--FILE--
+<?php
+include "sessionhandler.inc";
+
+session_test_start(new RemoteAddrSessionHandler());
+var_dump($_SESSION);
+
+?>
+--EXPECTF--
+array(0) {
+}
diff --git a/tests/session/crypt.docroot.phpt b/tests/session/crypt.docroot.phpt
new file mode 100644
index 0000000..d5b6fc6
--- /dev/null
+++ b/tests/session/crypt.docroot.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using docroot
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+DOCUMENT_ROOT=/var/www
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=On
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: NKChb1rdctXd-Acz0uzOYVnJT_J2mxYRVUgSh0w5mlk.
diff --git a/tests/session/crypt.key_default.phpt b/tests/session/crypt.key_default.phpt
new file mode 100644
index 0000000..8e4f12a
--- /dev/null
+++ b/tests/session/crypt.key_default.phpt
@@ -0,0 +1,21 @@
+--TEST--
+session with encryption default key
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: RIuy2LSSd3_s3hhDCnN89bNWyCnhvNAO0YUq7OQKuJc.
diff --git a/tests/session/crypt.key_empty.phpt b/tests/session/crypt.key_empty.phpt
new file mode 100644
index 0000000..3e5da11
--- /dev/null
+++ b/tests/session/crypt.key_empty.phpt
@@ -0,0 +1,21 @@
+--TEST--
+session with encryption key empty
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: RIuy2LSSd3_s3hhDCnN89bNWyCnhvNAO0YUq7OQKuJc.
diff --git a/tests/session/crypt.key_empty_remote_addr.phpt b/tests/session/crypt.key_empty_remote_addr.phpt
new file mode 100644
index 0000000..cf1292a
--- /dev/null
+++ b/tests/session/crypt.key_empty_remote_addr.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption key empty and REMOTE_ADDR set
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: j1YTvIOAUqxZMjuJ_ZnHPHWY5XEayycsr7O94aMzmBQ.
diff --git a/tests/session/crypt.no_encryption.phpt b/tests/session/crypt.no_encryption.phpt
new file mode 100644
index 0000000..6b6bc97
--- /dev/null
+++ b/tests/session/crypt.no_encryption.phpt
@@ -0,0 +1,15 @@
+--TEST--
+session without encryption
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.encrypt=Off
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+?>
+--EXPECTF--
+SESSION: a|s:1:"b";
\ No newline at end of file
diff --git a/tests/session/crypt.raddr_1.phpt b/tests/session/crypt.raddr_1.phpt
new file mode 100644
index 0000000..2070d03
--- /dev/null
+++ b/tests/session/crypt.raddr_1.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using REMOTE_ADDR (cryptraddr=1)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=1
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: wkiQGgZgWnBFDyCs_4QYD_oaw_m35l_5I35XRg0wX_g.
diff --git a/tests/session/crypt.raddr_2.phpt b/tests/session/crypt.raddr_2.phpt
new file mode 100644
index 0000000..b8c21bc
--- /dev/null
+++ b/tests/session/crypt.raddr_2.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using REMOTE_ADDR (cryptraddr=2)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=2
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: WDyvE0R4mUqvOG6e5VzhfgWMjfCWSFC5bNNI_3dIT3w.
diff --git a/tests/session/crypt.raddr_3.phpt b/tests/session/crypt.raddr_3.phpt
new file mode 100644
index 0000000..afe2729
--- /dev/null
+++ b/tests/session/crypt.raddr_3.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using REMOTE_ADDR (cryptraddr=3)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=3
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: 6kLKLrgCmlOuEPXPON_K5SWHLuIbHdLsh4MJ0QtTFj8.
diff --git a/tests/session/crypt.raddr_4.phpt b/tests/session/crypt.raddr_4.phpt
new file mode 100644
index 0000000..28b4098
--- /dev/null
+++ b/tests/session/crypt.raddr_4.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using REMOTE_ADDR (cryptraddr=4)
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+REMOTE_ADDR=127.0.0.1
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=Off
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=4
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: QYSbWh8enETvdtKfao8G6aiXqK7_lhzFmRNYa2lo-UM.
diff --git a/tests/session/crypt.ua.phpt b/tests/session/crypt.ua.phpt
new file mode 100644
index 0000000..4c53273
--- /dev/null
+++ b/tests/session/crypt.ua.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session with encryption using ua
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+HTTP_USER_AGENT=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=On
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+include "sessionhandler.inc";
+session_test_start();
+$_SESSION['a'] = 'b';
+
+
+?>
+--EXPECTF--
+SESSION: 3pVZdIv7vHG-PwO_rLQLUGerd4L_UX60xJoAM-IoVC4.
diff --git a/tests/session/max_id_length_ok.phpt b/tests/session/max_id_length_ok.phpt
new file mode 100644
index 0000000..dbecebd
--- /dev/null
+++ b/tests/session/max_id_length_ok.phpt
@@ -0,0 +1,16 @@
+--TEST--
+session id not too long
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.max_id_length=32
+session.hash_bits_per_character=4
+session.use_strict_mode=0
+--FILE--
+<?php
+session_id('12345678901234567890123456789012');
+session_start();
+echo session_id();
+?>
+--EXPECTF--
+12345678901234567890123456789012
diff --git a/tests/session/max_id_length_toolong.phpt b/tests/session/max_id_length_toolong.phpt
new file mode 100644
index 0000000..a8ec4cc
--- /dev/null
+++ b/tests/session/max_id_length_toolong.phpt
@@ -0,0 +1,15 @@
+--TEST--
+session id too long
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--INI--
+suhosin.session.max_id_length=32
+session.hash_bits_per_character=4
+--FILE--
+<?php
+session_id('123456789012345678901234567890123');
+session_start();
+echo strlen(session_id());
+?>
+--EXPECTF--
+32
\ No newline at end of file
diff --git a/tests/session/session_recursive_crash.phpt b/tests/session/session_recursive_crash.phpt
new file mode 100644
index 0000000..62cb9cd
--- /dev/null
+++ b/tests/session/session_recursive_crash.phpt
@@ -0,0 +1,25 @@
+--TEST--
+session SessionHandler() recursive crash
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+HTTP_USER_AGENT=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=On
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+session_set_save_handler(new SessionHandler(), true);
+$_SESSION['a'] = 'b';
+var_dump($_SESSION);
+--EXPECTF--
+array(1) {
+  ["a"]=>
+  string(1) "b"
+}
diff --git a/tests/session/session_recursive_crash2.phpt b/tests/session/session_recursive_crash2.phpt
new file mode 100644
index 0000000..2a32226
--- /dev/null
+++ b/tests/session/session_recursive_crash2.phpt
@@ -0,0 +1,61 @@
+--TEST--
+session user handler recursive crash - issue suhosin#60
+--SKIPIF--
+<?php include "../skipifcli.inc"; ?>
+--ENV--
+return <<<END
+HTTP_USER_AGENT=test
+END;
+--INI--
+suhosin.session.encrypt=On
+suhosin.session.cryptkey=D3F4UL7
+suhosin.session.cryptua=On
+suhosin.session.cryptdocroot=Off
+suhosin.session.cryptraddr=0
+suhosin.session.checkraddr=0
+--FILE--
+<?php
+$foo = "";
+
+class MySessionHandlerA implements SessionHandlerInterface
+{
+        public function close() {return TRUE;}
+        public function destroy($session_id) {return TRUE;}
+        public function gc($maxlifetime) {return TRUE;}
+        public function open($save_path, $name) { global $foo; $foo .= "A\n"; return TRUE;}
+        public function read($session_id ) {return TRUE;}
+        public function write($session_id, $session_data) {return TRUE;}
+}
+
+session_set_save_handler(new MySessionHandlerA(), true);
+session_start();
+session_destroy();
+
+//
+
+class MySessionHandlerB extends MySessionHandlerA
+{
+        public function open($save_path, $name) { global $foo; $foo .= "B\n"; return TRUE;}
+}
+
+session_set_save_handler(new MySessionHandlerB(), true);
+session_start();
+session_destroy();
+
+//
+
+class MySessionHandlerC extends MySessionHandlerA
+{
+        public function open($save_path, $name) { global $foo; $foo .= "C\n"; return TRUE;}
+}
+
+session_set_save_handler(new MySessionHandlerC(), true);
+session_start();
+session_destroy();
+
+
+echo $foo;
+--EXPECTF--
+A
+B
+C
diff --git a/tests/session/sessionhandler.inc b/tests/session/sessionhandler.inc
new file mode 100644
index 0000000..b8bc7bd
--- /dev/null
+++ b/tests/session/sessionhandler.inc
@@ -0,0 +1,43 @@
+<?php
+
+
+class GenericSessionHandler implements SessionHandlerInterface
+{
+        function open($savePath, $sessionName) { return true; }
+
+        function close() { return true; }
+
+        function read($id) { return (string)""; }
+
+        function write($id, $data) { return true; }
+
+        function destroy($id) { return true; }
+
+        function gc($maxlifetime) { return true; }
+
+}
+class WriteSessionHandler extends GenericSessionHandler
+{
+        function write($id, $data)
+        {
+                echo "SESSION: $data\n";
+                return true;
+        }
+}
+class RemoteAddrSessionHandler extends GenericSessionHandler
+{
+        ## key empty and REMOTE_ADDR set to 127.0.0.1
+        function read($id) { return (string)"j1YTvIOAUqxZMjuJ_ZnHPHWY5XEayycsr7O94aMzmBQ."; }
+}
+
+
+function session_test_start($handler=null) {
+        if (!$handler) {
+                $handler = new WriteSessionHandler();
+        }
+        session_set_save_handler($handler, true);
+        session_start();
+        return $handler;
+}
+
+?>