Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:117745 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 96137 invoked from network); 18 May 2022 16:02:44 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 18 May 2022 16:02:44 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id D6A3B18005C; Wed, 18 May 2022 10:43:30 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,NICE_REPLY_A, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS8560 212.227.0.0/16 X-Spam-Virus: No X-Envelope-From: Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS; Wed, 18 May 2022 10:43:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1652895808; bh=RmEytaa2rbKN7HX0MKVzajVRZLuFkm/IVCj32HNonb4=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=Ae7N8Spkw4B0cBv/8UJFrqv8wejgv9El5CXuWsUOXvVFQUGFyPTp7SMxDc5Hr1S8a GMUBU0owuWAz7zo3RYLujV6IIKNM1DgpOEMYhC+Fp5j7hrwuPEQEHyIsLsd2+6T1O9 //tdzjSerBqjgovbJsWd+FmgzKUfYHaRTWUg6Ng4= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.2.130] ([79.220.83.46]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MAONd-1o2dK70NeV-00Bwhh; Wed, 18 May 2022 19:43:28 +0200 Message-ID: <5b866dcf-cbc7-4441-362b-3fa2c735dd8f@gmx.de> Date: Wed, 18 May 2022 19:43:28 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0 Content-Language: de-DE To: Craig Francis , Mark Randall Cc: internals@lists.php.net References: <62841d87.1c69fb81.82a5.8a18SMTPIN_ADDED_MISSING@mx.google.com> <9272E23F-F962-4023-B62D-7A70EA08E828@craigfrancis.co.uk> <628518bb.1c69fb81.1deb1.1bd5SMTPIN_ADDED_MISSING@mx.google.com> <86A3AC49-1F82-423A-9E66-B334E947E53B@craigfrancis.co.uk> In-Reply-To: <86A3AC49-1F82-423A-9E66-B334E947E53B@craigfrancis.co.uk> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:z227xmo5/0v9uCpgIgpkDAAf2MLFe2PKEiI1Dv0aUHaH+0+3jQP lOcNESf026OCSeBwTkgMKLcxa0JE9pxMRptiyeGBCUF9dgXUMmEAu9QjC75wfao9p2A16MW fa7XWy6f9w4LJj+VECkBFLpnhPuJttsHe8pWOeAFSHPMvb2l9UgwL6ygxB/gfdRnuL7dTWq rcRGz0FEiVT+AhkanpHjg== X-UI-Out-Filterresults: notjunk:1;V03:K0:I7VrKJXnQEE=:bEZmEOGT/fwRdqMElAjmdU O/sCstr8/nE29quP1hgOu1hI56iOHPfoi0vSSLSFO7aTPHj06bIRxNk4boS9QZjOi0PORq7oN Ld+k+w8/sfNT2LvpEY8JycyTzSXF0c6UrIT+98WupO0WyTFaWmtuivXLRIBDdU/oK5BcdmrZv rNj44rAR6PGJUYdYDCyEESCUypMW/b102OyVaYJZPAitVA5Y6jNDGCbBkmzQ+w4UiDsMeSPK+ omResCjXbSuy1EQOkCK0gBqTGe9f568eO+e0D4RjrzRZySntmikE8S4EZbgRDmNaxfN5vl6hO 8M958yNPRmTVW2ylmhtzfZWb9LmBre+fUJcven5w2uOUE1+u3CWChbdPSiFxaLS0owJldDAZI awtL6sr1ni8kX0f2t1KhjFPJ6RaoWslWz+EQE7I0P76WUhGL5BVThCrKlRq7z58L3t6hyG9DX q0V1Pcz19QB4Qkh5DkA/ScaBmHbNq0987d5PcfNPJQpYJIT5HDzhxuoKzbfIkMY6epODEYKd3 f+NMwWjDYfYABordIy4RinlU9xElR1igH1Tzco4ja+CfyKuFkvO4Z2FRPhRM8CTXUY2UpHIOS loF3cwquOx6cUhd5xBQRTjfOhW+tRtv2pCbAWa/qwYgyojXQhwdBBe7xJRAoMhE5sSbvqShZS 2Vd3wR/twP9CGWGhWShbPvCJLa+E3UqatxM7C7CHkZKWKAMwCEIIU1wt/0G8BFE2se65vWSQj 0F0h1GpW0Z/9pQ5HCzrrRTTJSLb16VWF76Hb0QYm+zgWfHxjWyjaEj4cJlHOXGQcldGwm3EZg 9+Q4Ta3+xpay2P6gyEt10C213O2l/WLsQidImSldf6uG36enHdAH8dEuQM8z+XpZvY6YY/pXD j1MJ1k7N3vQHd0XNwSw/9ZeMD0uUJdag1++h4XkCmhY1u1MJfP+kV4O6M9/6PVqVIIfeJ/gfh y+SEtNQXdu10BSDZOysTdrV3/Uorcl3TC7OmyBmSgn23K2k9gpV1OJyvp26lLEOvQbh3lZI/R 5Zpun4aoRzZFU58XCvICcW1o/K4VRfgO6hMCS73486VFZfdQmiOV1qlHkF7X0n9cgPUQWsaeE 3bknR2l32n+hnQm8odavs4hxs34MRVOSpEyyCugTB+wVs+IEpxNIiNsYQ== Subject: Re: [PHP-DEV] Early feedback on encrypted session PR From: cmbecker69@gmx.de ("Christoph M. Becker") On 18.05.2022 at 18:37, Craig Francis wrote: > On 18 May 2022, at 17:02, Mark Randall wrote: > >> Personally I usually just throw the session key through a one-way hash = so the original session ID never gets written to a backing store. > > Good idea, but that's not done by default. But also not by the PR, as I understand it. >> I'm not sure why reversible encryption needs to take place? > > It might provide privacy (if the attacker can read the session files, an= d they contain sensitive information, e.g. some developers store a copy of= the users entire record in the session to avoid db lookups)... and it mig= ht prevent edits being made to the session file. It is already possible to write an own SessionHandler which encrypts/decrypts the session payload. That said, I'm not against adding an encryption option. > I would hope both are very rare, but I'm still writing up reports about = developers doing things like `file_put_contents('/tmp/' . $_POST['id'], $_= POST['message'])`, so I don't have a lot of hope. Right. And no amount of magic features implemented by a language or library will prevent such issues completely. It might not have been the best idea to make PHP so beginner friendly. =2D- Christoph M. Becker