Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:67926
Return-Path: <arraypad@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 2521 invoked from network); 27 Jun 2013 09:02:58 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jun 2013 09:02:58 -0000
Authentication-Results: pb1.pair.com smtp.mail=arraypad@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=arraypad@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.41 as permitted sender)
X-PHP-List-Original-Sender: arraypad@gmail.com
X-Host-Fingerprint: 209.85.215.41 mail-la0-f41.google.com  
Received: from [209.85.215.41] ([209.85.215.41:38042] helo=mail-la0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 91/C9-51393-1CFFBC15 for <internals@lists.php.net>; Thu, 27 Jun 2013 05:02:57 -0400
Received: by mail-la0-f41.google.com with SMTP id fn20so521083lab.28
        for <internals@lists.php.net>; Thu, 27 Jun 2013 02:02:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=NgVjZ+zKRVX4D9zRqDlEKacC3ZsfgBo/1NZm9kJaN9Q=;
        b=XrDuMUMjdGkfRo+Armofr55UWJXIMT8biQO2M+CiAgiNgep0J7L2gj6UqkqOe2evcP
         wPqLswhn5vZtfmrSGB/jRhHBG/oyf1I8M2/pqUr/wWp1PouRqc5PEN44UryOpvV6o1XB
         qRJhPbC+qoGEN7r6yjNedm+wTbl17PfqG2JXgUYP2JT2igKbvVjUm73GfPNHJMjXN6Si
         FunNLpEGsmM/WeFmHKEuZ8VK3c+usxJdGs/E9v4rpc15Oboe24WsvgrfycC/CecPaxT6
         nK3wW1N5E/1V3DRgOn9IK1bTxAuNX++8Jg+sU2+1ZK31EJtoVslhKBlxrp8xGrRI6k3B
         8CRg==
MIME-Version: 1.0
X-Received: by 10.152.2.201 with SMTP id 9mr3586181law.84.1372323773710; Thu,
 27 Jun 2013 02:02:53 -0700 (PDT)
Received: by 10.112.18.200 with HTTP; Thu, 27 Jun 2013 02:02:53 -0700 (PDT)
In-Reply-To: <CAGa2bXY-+B-_-3N2=VYy7rJB-eXF0nzrGA-eSJmM+O87qDrx-Q@mail.gmail.com>
References: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
	<50364644.1060302@lerdorf.com>
	<CAJRMtAH=-B8+M6+kMrpKQZ=Yg2ASa5iv=JCUbjvHkw0UFmw73w@mail.gmail.com>
	<CAL+t6cHj4p=RLwSRGX789w-CswZQd_XtuL364KRBsc66ROdmJA@mail.gmail.com>
	<CAGa2bXY2+kDx32evFmFqUD3P1L6x=PypnVJTuj_mP2853QWQKw@mail.gmail.com>
	<5039D249.30707@sugarcrm.com>
	<CAGa2bXZso_S3fOUogqMwiTYJKtK3KZH5Fs8GZApxMnT+DwgpbQ@mail.gmail.com>
	<CAGa2bXauBFja+BJcLxiE5t5rnfna1QDt3iTRdYr04a1ExFz7+A@mail.gmail.com>
	<503A968A.4070206@sugarcrm.com>
	<CAGa2bXaMYxD3-mbATK0WfEryVEvjHE8m2RnujTauLN8t1S+H6w@mail.gmail.com>
	<CAGa2bXZ3pYiO5Lfn5NS-vuPBk_X6SUsr6Qsswya6mx0S3SjgeQ@mail.gmail.com>
	<CAGa2bXY-+B-_-3N2=VYy7rJB-eXF0nzrGA-eSJmM+O87qDrx-Q@mail.gmail.com>
Date: Thu, 27 Jun 2013 10:02:53 +0100
Message-ID: <CA+p1TcaR59H6=wH22oidGPa0QKP9QBE6e9HrSgT8f9oUg6kvDA@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, Sherif Ramadan <theanomaly.is@gmail.com>, 
	PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e013c67600c88c804e01f0703
Subject: Re: [PHP-DEV] Session Id Collisions
From: arraypad@gmail.com (Arpad Ray)

--089e013c67600c88c804e01f0703
Content-Type: text/plain; charset=ISO-8859-1

On Thu, Jun 27, 2013 at 1:36 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi,
>
> Sorry for the long delay, I've sent pull requests
>
> https://github.com/php/php-src/pull/368
> https://github.com/php/php-src/pull/367
> https://github.com/php/php-src/pull/366
>
>
Hi,

I see the strict mode check is now implemented in the handlers and not
session.c, presumably to keep ABI, but this means code is duplicated and
the setting only actually works if the handler supports it. It's
unfortunate timing since 5.5 has just gone, but I think it would make much
more sense to have a new function in the structure (as in your original
patch) and do this only in PHP.next.

Having such an ini setting which quietly fails if using an unsupported
handler is not good. I guess you could keep a whitelist of supported
handlers but that's also obviously far from ideal.

Regards,

Arpad



> Thank you for your time.
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>
>
> 2012/12/24 Yasuo Ohgaki <yohgaki@ohgaki.net>
>
> > Hi stats and others,
> >
> > Sorry for the delay.
> > I've finally updated the strict session patch.
> >
> > Following diff is against PHP-5.3, but 5.4 and others will be mostly the
> > same.
> >
> >
> >
> https://github.com/yohgaki/php-src/commit/42dcd8ef7cd2f9f2071b16586822dadd647c96ef
> >
> > I was promised to create separate patch for session id collision
> > detection, but
> > the patch is also in the diff. I left comments for the "if" statement
> > handles
> > collision. If you still prefer to have separate patch, I'll do it when
> > I send pull requests.
> >
> > If nobody has comment, I'll create patch for 5.4.
> >
> > If you read this patch closely, you'll see that this patch accesses
> > PS(id) global directly due to limitation of current API. It would be
> > good to have new API for 5.5, I think.
> >
> > BTW, this patch fixes bug #60634 as a side effect also.
> > https://bugs.php.net/bug.php?id=60634
> >
> > Comments are appreciated.
> >
> > Regards,
> >
> > --
> > Yasuo Ohgaki
> > yohgaki@ohgaki.net
> >
>

--089e013c67600c88c804e01f0703--