Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56720 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7907 invoked from network); 2 Dec 2011 09:58:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Dec 2011 09:58:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com Received: from [209.85.161.170] ([209.85.161.170:53436] helo=mail-gx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EC/61-33712-941A8DE4 for ; Fri, 02 Dec 2011 04:58:34 -0500 Received: by ggnv1 with SMTP id v1so2325113ggn.29 for ; Fri, 02 Dec 2011 01:58:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=iuyfWFYzTUB89miiJLlxxOu3+irc0SzxJcC0NXpxqEg=; b=Y9m6VibOP5O7NEhi82KiySgo91wBASPwv8IM8y2e0gl1v8lwAGZYXbN3K4ZuKVPLAP PC0ke5iabv8gVgsGITzA8k3TFql0eKqfsKSGtcf+B1Gyp0fcSSzYYCu133Q0oq0FYfXc BCIRLznz2s4neeCPTqSrPzdnM9553jB68qPnM= Received: by 10.182.220.8 with SMTP id ps8mr2185432obc.19.1322819537220; Fri, 02 Dec 2011 01:52:17 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.182.55.131 with HTTP; Fri, 2 Dec 2011 01:51:36 -0800 (PST) In-Reply-To: References: <4EBDC283.3040700@yahoo.co.jp> <4ED727FB.7030001@uw.no> <4ED76013.50601@lerdorf.com> <4ED85560.6040101@uw.no> <4ED8805B.7070308@uw.no> Date: Fri, 2 Dec 2011 18:51:36 +0900 X-Google-Sender-Auth: WvaphvKP-171anZnjC5-Pm4I7Kk Message-ID: To: Ferenc Kovacs Cc: "Daniel K." , Rasmus Lerdorf , internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Strict session? From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Ferenc, 2011/12/2 Ferenc Kovacs : > > wouldn't it be better if we push the session id validation to the > application level? > we should provide a hook both to the C api and to > the=A0session_set_save_handler. > of course we can additionally change the default range of valid character= s > for the default session handler implementation, but it would still possib= le > for the application developer to change or extend that. > It's possible with session_set_save_handler(), but users should implement all save handlers. session_set_save_handler() could be modified just to add validation function and choose any chars except chars invalidated by php_session_initialize() /* check session name for invalid characters */ if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) { efree(PS(id)); PS(id) =3D NULL; } For example, we may do bool session_set_save_handler(SESSION_SET_VALIDATE_ID, "my_validation_id_function"); There are many possible implementations. Any comments? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net