Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:117744
Return-Path: <craig@craigfrancis.co.uk>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 91715 invoked from network); 18 May 2022 14:57:09 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 18 May 2022 14:57:09 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id B93021804A9
	for <internals@lists.php.net>; Wed, 18 May 2022 09:37:55 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <craig@craigfrancis.co.uk>
Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 18 May 2022 09:37:55 -0700 (PDT)
Received: by mail-wm1-f49.google.com with SMTP id r6-20020a1c2b06000000b00396fee5ebc9so1352266wmr.1
        for <internals@lists.php.net>; Wed, 18 May 2022 09:37:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=craigfrancis.co.uk; s=default;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=R66Lm/asPygi6N7lNg+4MszNGgJHMrHVRkBAV6HPtKk=;
        b=BxrOQZ++mjHXwXfKfHm9kjacGJxI2NxopyYsCaUUk1sTAX5AuZ7XmFn8lSsOXS1318
         bC9JGZk2+xo9/OxC3GyN1qMfvGa4hPcsAz0YZE6PE15nVtkTN47JlLrIz0I2xWYpkm9g
         /Vj8kshekexcR3klh4pAvgkz+Chf4uX9jeUsA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=R66Lm/asPygi6N7lNg+4MszNGgJHMrHVRkBAV6HPtKk=;
        b=4uMJ0z9N9MkrhoipT+we9xdlDxIddHwJrJl39mcjdO2rhbPYoO+jXu81ccbtSCCnQh
         FF9rIvVd0wAEKLigIqlS1e2azgJUJ5tNezQQQnxBOqUVoBE6O21NUZ/Zma4RapiJICHx
         H86bnNZetqX5YHc9EhlFpfGw+cd0OucZoBkQCEuUrephWCUFBebTUnLsw8wurUxkLbQ2
         aN+SybslqMYs3qXfohZo+Egmh6kwbtAwd4Ne+pwF71bbGf1+PBrne0gaZJX/rb4E5zuv
         QfmB8ASh9R31Lsfzo60PiiM3Jc8NyCRnbinLT+26JfRVH4Ep/1lYpHgr3txs69Fx/7p/
         H8jw==
X-Gm-Message-State: AOAM533fwP6jVln62sRYApkHGrhs2LZaepL33vO8hVbKs/4TJVwiCtvZ
	pVn5qifqa1e1D0WIkrtxiMdP8w==
X-Google-Smtp-Source: ABdhPJwJDq8SgG0EzV/2QyKaYcxH4ZWHQRFwQnXGEgC5YMgiVnsMKpWxrVD9skbOK9W7ZlMdasMbxg==
X-Received: by 2002:a05:600c:5105:b0:394:7d22:aa93 with SMTP id o5-20020a05600c510500b003947d22aa93mr193472wms.107.1652891873969;
        Wed, 18 May 2022 09:37:53 -0700 (PDT)
Received: from smtpclient.apple ([94.173.138.98])
        by smtp.gmail.com with ESMTPSA id v13-20020a5d4b0d000000b0020c5253d8e0sm2433676wrq.44.2022.05.18.09.37.52
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 18 May 2022 09:37:53 -0700 (PDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
In-Reply-To: <628518bb.1c69fb81.1deb1.1bd5SMTPIN_ADDED_MISSING@mx.google.com>
Date: Wed, 18 May 2022 17:37:52 +0100
Cc: internals@lists.php.net
Content-Transfer-Encoding: quoted-printable
Message-ID: <86A3AC49-1F82-423A-9E66-B334E947E53B@craigfrancis.co.uk>
References: <CA+XhMqw0YmvwXh_pyQgFZcWC1kO7yBrF5pkAhSzB_eHbABFnUw@mail.gmail.com>
 <62841d87.1c69fb81.82a5.8a18SMTPIN_ADDED_MISSING@mx.google.com>
 <9272E23F-F962-4023-B62D-7A70EA08E828@craigfrancis.co.uk>
 <628518bb.1c69fb81.1deb1.1bd5SMTPIN_ADDED_MISSING@mx.google.com>
To: Mark Randall <marandall@php.net>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Subject: Re: [PHP-DEV] Early feedback on encrypted session PR
From: craig@craigfrancis.co.uk (Craig Francis)

On 18 May 2022, at 17:02, Mark Randall <marandall@php.net> wrote:
> Personally I usually just throw the session key through a one-way hash =
so the original session ID never gets written to a backing store.


Good idea, but that's not done by default.


> I'm not sure why reversible encryption needs to take place?



It might provide privacy (if the attacker can read the session files, =
and they contain sensitive information, e.g. some developers store a =
copy of the users entire record in the session to avoid db lookups)... =
and it might prevent edits being made to the session file.

I would hope both are very rare, but I'm still writing up reports about =
developers doing things like `file_put_contents('/tmp/' . $_POST['id'], =
$_POST['message'])`, so I don't have a lot of hope.

Craig