Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:123832 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 468A21A009C for ; Tue, 25 Jun 2024 17:58:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1719338398; bh=PERFwOVyER8An0mRFUgITLhC+6PXXXikowGi2bL65Og=; h=Date:Subject:To:References:From:In-Reply-To:From; b=lzdG/h8iPj7r/PMdrYvh00mZK6rsSUkAqV9NN8FGMm0/TT8Kbv9iMFQfwJq515M1K u9PjM0liZDwzunRCHm0jBTIClCxRKepBmWoO3c3ATyJ6vHinydlwjXyJv5vV5rCJIS XpfNJ6xvyccfFYX82/CKWY7DsODHrW62emOc6E2YqM1dBdXwR/FrlxMkO4pTwz+QLJ aApeHRrJxI6Kw0Fwhbi8cF+iY3oPGeyzvLQsB8IwgxIy/uQmYM2/kXmTYJTG4Ftfb6 4W52ddAIyqIDMapHHT2QM4mUj0uuHmdzkcvyGatPdaIuhsyc3MRChAPTE08Gh8spI7 7aEnKnA3wnyYQ== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 477D5180BB2 for ; Tue, 25 Jun 2024 17:59:57 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: Error (Cannot connect to unix socket '/var/run/clamav/clamd.ctl': connect: Connection refused) X-Envelope-From: Received: from chrono.xqk7.com (chrono.xqk7.com [176.9.45.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 25 Jun 2024 17:59:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bastelstu.be; s=mail20171119; t=1719338318; bh=NSOh3Y96PStdblzaimJCrUZXumlI12GiTE8BLwgSq2Q=; h=Message-ID:Date:MIME-Version:Subject:To:References:From: In-Reply-To:Content-Type:from:to:cc:subject:message-id; b=i9NgsS0H3cWj1aAaq1KYhGff0nkUre2EVJmI5Cs2Wd4QKE2gtzRmL63hBuzPxgGH7 GgzJgGDHGfKuS41/C/zbJ65+OMHZd3YYI5K9GRt+B4095RJZxOqpBYlxmE3MuwwXFj J1Ri9LXSQzoEQ9RBVZBRlmAq6VzEh9H8AveTjklf74hNAqH8++ewXr6b/IMlREHJsT Z5bcMRXYy4zbTSNw0pZWZcYLM3QsSvDeyYxpleTUKq2kFFO+R55lEgnx1UIc2wD2Dl o4drm0TlHgjDziREEy4LUlzMb74vNp2vUBDIHKKaCyJ97qQP8ieiGo9edzAB3FHRjg 29Rc64iYZktHA== Message-ID: Date: Tue, 25 Jun 2024 19:58:37 +0200 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Subject: Re: [PHP-DEV] [RFC] Deprecations for PHP 8.4 To: "Rowan Tommins [IMSoP]" , internals@lists.php.net References: Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit From: tim@bastelstu.be (=?UTF-8?Q?Tim_D=C3=BCsterhus?=) Hi On 6/25/24 18:03, Rowan Tommins [IMSoP] wrote: > Then again, if you _actually_ want it to be unique, rather than random, > those aren't the right replacements anyway. They are for all intents and purposes if the generated string is long enough. By the pigeonhole principle you can't guarantee uniqueness for a fixed-length string, but when you have 128 bits of entropy you are statistically all but guaranteed to receive a unique string. I've made an example calculation for the "session.sid_length and session.sid_bits_per_character" bit of this very RFC. The replacement I suggested to Marco `bin2hex(random_bytes(16))` does use exactly 128 bits (16 bytes) of secure randomness for that reason. For Randomizer::getBytesFromString() you can calculate the entropy as follows: var_dump(log(strlen($string) ** $length, 2)); You can calculate the minimum length to have 128 bits of entropy for a given alphabet string as follows: var_dump(ceil(log(2**128, strlen($string)))); For some example alphabets, the minimum length for 128 bits of entropy would be: - [0-9] : 39 - [0-9a-f] : 32 - [a-z] : 28 - [a-z0-9] : 25 - [a-zA-Z] : 23 - [a-zA-Z0-9]: 22 Best regards Tim Düsterhus