Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:68373 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 91320 invoked from network); 5 Aug 2013 09:51:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Aug 2013 09:51:01 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.45 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.45 mail-la0-f45.google.com Received: from [209.85.215.45] ([209.85.215.45:34124] helo=mail-la0-f45.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 32/6D-06453-4857FF15 for ; Mon, 05 Aug 2013 05:51:01 -0400 Received: by mail-la0-f45.google.com with SMTP id fj20so1903217lab.4 for ; Mon, 05 Aug 2013 02:50:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=8V9IpdrXUmmwcXm9IX1C3uuYg8OS6Kgy/mYui4HttGo=; b=KN7dgw/Ys0lhPAQvIxqsRJU5gpi3iNCeVZbabF8ScPYtNmuQa4BWjbrUF6sdP7n0Fx WzV3dWSUMbazJvC2GfRfN49FhsnM//rFDfe1++2I4zwFg9pdPLrfWtazdotRSTxYv4Kq JfeP+24TDliykDczfJ4wOWWuvyMRdVSoLxWHxJDOJ30ky7oOCZuFUh9B0ouHldWoDdDn mRRSEsRTH49gfRN/BMu/zFZwK6x+reT9gwXCigfeG0V60pR/GFzicFEUdQSoyeZaTg2s zvEanwh29bDrD/2belNiqJKKnmMTF2FbiooprwfVp4zJ4W0Rd0/v3bz6ui+zde4D1DcY BPsg== X-Received: by 10.152.22.42 with SMTP id a10mr8427317laf.30.1375696257512; Mon, 05 Aug 2013 02:50:57 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.127.233 with HTTP; Mon, 5 Aug 2013 02:50:16 -0700 (PDT) In-Reply-To: References: <50364644.1060302@lerdorf.com> <5039D249.30707@sugarcrm.com> <503A968A.4070206@sugarcrm.com> <51FEEEAF.1070705@sugarcrm.com> <51FEF5AA.5060409@sugarcrm.com> Date: Mon, 5 Aug 2013 18:50:16 +0900 X-Google-Sender-Auth: bsFYXCXURLL3YHsV2flI0wLZlkQ Message-ID: To: Arpad Ray Cc: Stas Malyshev , PHP Internals Content-Type: multipart/alternative; boundary=089e0158b794bf7d6204e3303ebc Subject: Re: [PHP-DEV] Session Id Collisions From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0158b794bf7d6204e3303ebc Content-Type: text/plain; charset=UTF-8 Hi Arpad, On Mon, Aug 5, 2013 at 6:22 PM, Arpad Ray wrote: > I thought we were in agreement about doing this properly in PHP.next? My > arguments against this version of the patch still stand: We had long discussion and decided to apply maintained branches as security enhancement more than a year ago. We also planned to apply the patch into 5.3 originally, but 5.3 is security fix only now. Anyway, if users are resetting session id properly, they are protected against session adoption attacks. However, users are not protect their apps properly, then they are at the risk of session adoption. This fix is rather important for PHP, since there are many setups that share PHP with many apps. That's the reason why we decided to apply this patch into maintained branches. PHP web server admins should feel much safer than before with this feature. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0158b794bf7d6204e3303ebc--