Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:62499 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24210 invoked from network); 25 Aug 2012 22:03:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Aug 2012 22:03:13 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.170 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 74.125.82.170 mail-we0-f170.google.com Received: from [74.125.82.170] ([74.125.82.170:41169] helo=mail-we0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 82/65-06857-0AB49305 for ; Sat, 25 Aug 2012 18:03:13 -0400 Received: by weyr1 with SMTP id r1so1867047wey.29 for ; Sat, 25 Aug 2012 15:03:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=WpVsTj7tOcD2xl0kYYok347LmCt4vLUFnY3/rKDF21w=; b=H44NKLYJkFHbZ5m9FrBbEJEprD2kp3DPsJisrXHa+6NGhl9fmjSYLHAvRrdgWjhjLx 4kQimluFfa6pap3p7nMO4ygzdxEhreCUM2UkdWZ4iqmuTd020j9PNgVURzx391G97rpm nu9D+jdxYBg/ZH9DmI8xxWibYRwIGzVXc+U/DzsUXVJgnsdODcKINEu/AkqImCW0HmEp rZGgCALMNaCh25n4+qhB16THmuLb1sjHvmAq4AC+xaEQz37AvtEllPnJnzai0Qnjf9uk Hu9hzgHS+wxZbqKaTdAi4/zvz/TN2AejU9lAw04v3eMu7Asm5EjNf3XFlKmVXsdp3/Y/ DYRw== Received: by 10.180.93.68 with SMTP id cs4mr14404842wib.14.1345932189646; Sat, 25 Aug 2012 15:03:09 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.223.86.201 with HTTP; Sat, 25 Aug 2012 15:02:29 -0700 (PDT) In-Reply-To: References: <50364644.1060302@lerdorf.com> Date: Sun, 26 Aug 2012 07:02:29 +0900 X-Google-Sender-Auth: dSmURCfR5NaVR8Vz6l_gJNTAkjw Message-ID: To: Ferenc Kovacs Cc: Sherif Ramadan , PHP Internals , Stas Malyshev Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Session Id Collisions From: yohgaki@ohgaki.net (Yasuo Ohgaki) 2012/8/26 Ferenc Kovacs : > > > On Sat, Aug 25, 2012 at 4:47 AM, Yasuo Ohgaki wrote: >> >> Hi, >> >> I was willing to add collision detection to session module >> after session adoption patch is merged. >> >> What's the status of session adoption patch? >> I've created patches for all 3 versions and I think Stats >> is going to merge it to master and PHP 5.4. >> > > Please don't top post. > What is this session adoption patch? > Is it (part of) the Strict session rfc/patch from you? Yes. Strict session patch reject uninitialized session ID, thus it prevents session adoption/fixation. I know session ID collision will not happen most likely, but there are few people who worries collision. We can check session ID collision when it is generated. It's easy patch, but I didn't include the patch to focus on adoption. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net