Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56744 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 13776 invoked from network); 4 Dec 2011 08:26:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Dec 2011 08:26:01 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.170 mail-gy0-f170.google.com Received: from [209.85.160.170] ([209.85.160.170:45279] helo=mail-gy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C7/00-13454-89E2BDE4 for ; Sun, 04 Dec 2011 03:26:00 -0500 Received: by ghbg16 with SMTP id g16so4302455ghb.29 for ; Sun, 04 Dec 2011 00:25:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=gH8R8syt1TXWd/QlojHwM8laWYbIWajILLlvS4zRzdw=; b=Gv4P4ptbxjoP4Rigr9+WS5ohZY9fUgkRxcyzen+Y2EtUkHNqPlHnl1hYyaJx8dtWmz f+8vI4gs6EwYAwlKoYJDoopMYdj0vAt3DaRN7kgtktiB8mQa75nwxnhRRJ+uqnI2Wcyr 92R9+ZGuUyoeUDLjgv99mvLaaWPALxojOGSZA= Received: by 10.236.76.136 with SMTP id b8mr6738311yhe.9.1322986839136; Sun, 04 Dec 2011 00:20:39 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.100.127.18 with HTTP; Sun, 4 Dec 2011 00:19:58 -0800 (PST) In-Reply-To: <4EDA8709.3090407@sugarcrm.com> References: <4EBDC283.3040700@yahoo.co.jp> <4ED727FB.7030001@uw.no> <4ED76013.50601@lerdorf.com> <4ED85560.6040101@uw.no> <4ED8805B.7070308@uw.no> <4EDA8709.3090407@sugarcrm.com> Date: Sun, 4 Dec 2011 17:19:58 +0900 X-Google-Sender-Auth: doWK-iln-eyy4WkR5sfF1HAuwdc Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Strict session? From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stats, 2011/12/4 Stas Malyshev : >> If user really want to set session ID, they can explicitly disable >> use_strict_mode. >> >> For almost all application, setting static ID is bad code. There are >> some applications that exploit adoptive session, but they can live >> with new code also. > > > I'm not sure I understand - why prohibiting the setting of the session ID is > necessary? I understand the idea of the original patch - if somebody could > set your session ID for you, without knowledge of either the user or the > app, it is bad since third party knows this ID and thus can use it. However, > I do not understand why it is bad for the app to set the session ID - after > all, session ID comes from the app anyway, what's the problem here? Why we > have to deny benefits of the protection that this patch claims to provide > against injecting session by the third party to the applications that set > the session from inside? I do not understand the link between one and the > other, can you please explain? For example, it is easy to find cases with google code search, that users are setting ID while they really should do is session_regenerate_id(). These kind of mistakes would be better to be prevented under strict mode, IMHO. We can say, shooting your own foot is your responsibility, but I think raising error would be more user friendly. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net