Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56751 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28995 invoked from network); 4 Dec 2011 10:11:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Dec 2011 10:11:58 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:40010] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C9/F2-13454-D674BDE4 for ; Sun, 04 Dec 2011 05:11:58 -0500 Received: by ywt2 with SMTP id 2so4194529ywt.29 for ; Sun, 04 Dec 2011 02:11:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=kqwOwDObqZDPJVMK7g23j+GsXvJB/HrgQsxkVRoPdvc=; b=KlO5weeUmhWHGmFmrrl+vmHJbmIWQbdLfth5YLLwxFLdbKTDtnk6OILt4UegPP3RFw +dsjL0Vq/rcum1Itv24Z7AtZ18Dwe4+l2yCkQ+UVGHE5u3fpBtBaSZw09F6p9FkgCTo8 OorGUCiumhOAYa1gt57st1E926s5OTXNvSM9w= Received: by 10.236.180.200 with SMTP id j48mr6071289yhm.26.1322993514219; Sun, 04 Dec 2011 02:11:54 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.100.127.18 with HTTP; Sun, 4 Dec 2011 02:11:14 -0800 (PST) In-Reply-To: <4EDB447F.4000500@sugarcrm.com> References: <4EBDC283.3040700@yahoo.co.jp> <4ED727FB.7030001@uw.no> <4ED76013.50601@lerdorf.com> <4ED85560.6040101@uw.no> <4ED8805B.7070308@uw.no> <4EDA8709.3090407@sugarcrm.com> <4EDB447F.4000500@sugarcrm.com> Date: Sun, 4 Dec 2011 19:11:14 +0900 X-Google-Sender-Auth: Km1M_ZzRdZ8Xl8-0Ld9z155_-rw Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Strict session? From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stats, 2011/12/4 Stas Malyshev : > Hi! > > >> For example, it is easy to find cases with google code search, =A0that >> users are setting ID while they really should do is >> session_regenerate_id(). These kind of mistakes would be better to be >> prevented under strict mode, IMHO. > > > I'm not sure how that would help in this case - so the set would be > rejected, then the users will turn the strict mode off to make their code > work and thus lose the protection it provides. How that improves anything= ? > Setting session ID and protection against adoption are two different thin= gs, > why you need to turn off the latter to get the former working? Since the patch sets INI_ALL for session.use_strict_mode, users may disable strict_mode for specific code. They don't have to disable strict mode for whole application. It's possible allow user defined session id, but as far as I searched on google, users are just misused or abused session_id($newid). Since there are many places that users could shooting their own foot, I don't mind to allow session_id($newid). It's far more important provide protection for decent code. Should I go ahead to change this? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net