Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117742
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 74408 invoked from network); 18 May 2022 13:43:07 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 18 May 2022 13:43:07 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 424F61804C6
	for <internals@lists.php.net>; Wed, 18 May 2022 08:23:53 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 18 May 2022 08:23:52 -0700 (PDT)
Received: by mail-wm1-f47.google.com with SMTP id i20-20020a05600c355400b0039456976dcaso2485168wmq.1
        for <internals@lists.php.net>; Wed, 18 May 2022 08:23:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=FtVh75i14u7HZIHmvjdjWyNjl26aY39Td7kTZITBb6M=;
        b=i/462gqlkGJUOJksT2Y5udMwPO8i3xM9dnx7/rKz8loxTh2Qvsk7B12NIpv3QXT89j
         N1rir6W4zdGkfhfgsC6WilnnNAuJRLRKStyuwEGlJfIpS4XrwDCp2Ek8ax9R6q1CQKKp
         Kg5DAGhw1MgEOZb3mOSakEGlqjJte04bSlK54=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=FtVh75i14u7HZIHmvjdjWyNjl26aY39Td7kTZITBb6M=;
        b=x7u/JfD3LIe+25c9RQgMH6zoKr14+ShgmStZy/hvyUaYe3Y3QALWhFltOyi9hVlZij
         nxrKal9dZefq8qDLfbRKIYqoHVa/3gcVo+X9y0yLRet9SoMxPUyt3567dtpD4CKGGAkN
         IVRu6RaP4C9fWCINdDrKcvWWngiUumvwS2zdCZq3KEYwqG2rmtJg7vgE2s/YV8SWZpM6
         DrsmqdM/4GbwhQiqYYFLr+3xQer+3HeCri0aJzla8KT/pqDSzXszesgfYVBogfFVkkdd
         zoF/81l6fPqMP62cTlqQpqTmFieK7bSchZPygFo1GJMXi2CRviuAOqoqmOnsp8lGuKai
         y0zA==
X-Gm-Message-State: AOAM5320EvuRprx05KIFYabl2Z9IIloeEyN2+qTfAbTAZfszZWITAScV
	KU/5uWTsnX2yFM83TMn9DPgroUVa9SKjXg==
X-Google-Smtp-Source: ABdhPJyOjKtsCsYzfaARzsdCr5/axgHNG4dTc+xD4Ho/Nd5pPwpbjoIq9BZARkASm7PKWulwj6L0Tg==
X-Received: by 2002:a05:600c:ad3:b0:394:46ae:549b with SMTP id c19-20020a05600c0ad300b0039446ae549bmr412942wmr.113.1652887431488;
        Wed, 18 May 2022 08:23:51 -0700 (PDT)
Received: from smtpclient.apple ([94.173.138.98])
        by smtp.gmail.com with ESMTPSA id m41-20020a05600c3b2900b003942a244f51sm4836633wms.42.2022.05.18.08.23.50
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 18 May 2022 08:23:50 -0700 (PDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
In-Reply-To: <62841d87.1c69fb81.82a5.8a18SMTPIN_ADDED_MISSING@mx.google.com>
Date: Wed, 18 May 2022 16:23:49 +0100
Cc: internals@lists.php.net
Content-Transfer-Encoding: quoted-printable
Message-ID: <9272E23F-F962-4023-B62D-7A70EA08E828@craigfrancis.co.uk>
References: <CA+XhMqw0YmvwXh_pyQgFZcWC1kO7yBrF5pkAhSzB_eHbABFnUw@mail.gmail.com>
 <62841d87.1c69fb81.82a5.8a18SMTPIN_ADDED_MISSING@mx.google.com>
To: Mark Randall <marandall@php.net>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Subject: Re: [PHP-DEV] Early feedback on encrypted session PR
From: craig@craigfrancis.co.uk (Craig Francis)

On 17 May 2022, at 23:11, Mark Randall <marandall@php.net> wrote:
> On 17/05/2022 21:36, David CARLIER wrote:
>> I wanted a more general but early feedback on the idea itself
>> https://github.com/php/php-src/pull/3759
>=20
> What is the motivation? What is it meant to achieve?


If the Session ID continued to work as the Identifier, but the client =
was given the Session ID and a Random Key (could be concatenated =
together for the cookie)... that means the Random Key would not be =
stored on the server, and could protect the session if there was a =
vulnerability on the server/website (e.g. attacker being able to see the =
directory listing of session files)... I'm not sure how much of a =
benefit that will actually provide, vs the risk of it going wrong (e.g. =
future PHP changing encryption algorithm).

Craig