One of our SimpleRisk customers reported receiving the following error message when trying to authenticate with SimpleRisk after performing a fresh installation of the application:

[Fri Apr 28 11:23:04.506835 2017] [php5:error] [pid 9553] [client X.X.X.X:55046] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'id' at row 1' in /var/www/simplerisk/includes/authenticate.php:862\nStack trace:\n#0 /var/www/simplerisk/includes/authenticate.php(862): PDOStatement->execute()\n#1 [internal function]: sess_write('xxxxxxxxxxx...', 'alert|b:0;alert...')\n#2 {main}\n  thrown in /var/www/simplerisk/includes/authenticate.php on line 862

Upon investigating, we discovered that the size of a PHP session ID value is determined by two parameters that are set in the php.ini file:

  • session.hash_function
  • session.hash_bits_per_character

In this case, the customer had the session.hash_function parameter set to "sha256" instead of the default value of 0 (MD5 128 bits).  The session.hash_bits_per_character was already set to the default value of 5.  The "sha256" value caused a session ID larger than 32 characters to be set, which, in turn, caused the authentication routines in SimpleRisk to fail.  The short-term workaround is to set the session.hash_function value to 0 and restart Apache for the change to take effect.  In the longer-term, we have added increasing the maximum size of that session ID value as a high-priority item on the SimpleRisk roadmap.