Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:68374 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 93354 invoked from network); 5 Aug 2013 10:05:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Aug 2013 10:05:20 -0000 Authentication-Results: pb1.pair.com header.from=arraypad@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=arraypad@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.47 as permitted sender) X-PHP-List-Original-Sender: arraypad@gmail.com X-Host-Fingerprint: 209.85.215.47 mail-la0-f47.google.com Received: from [209.85.215.47] ([209.85.215.47:62500] helo=mail-la0-f47.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5A/CD-06453-FD87FF15 for ; Mon, 05 Aug 2013 06:05:19 -0400 Received: by mail-la0-f47.google.com with SMTP id eo20so1913321lab.34 for ; Mon, 05 Aug 2013 03:05:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dGfJPC9KJiv3EMxKk6Z2fT4OnR+CsTmNdT3W4MRHfNw=; b=MB/mc4ek5tWAW+GE5xMV0DTp7okaOisANuIq+o1uYH6AtXCjcF2WmPJ99ugYEwkRpl 22rDkZH+Rb9tr5OlyawrH9o/JoEdvW8PuxOD2iN8uh62b96DmHL3rTzWpk5U6UD9X7GU m6B73qFpOhN110TqLi9rqTVaCieXc1xHQcJhCAts72Ww9uE7zfWtXog2GtGzY4+N3vC0 uwPA2TcKrqTFkm9Wk2UynGJRiDQCKI4szQND221gcxwr77MWPCjXtphPqC8v54lpvdgo slkeyEcoar4js1Q+8urWHiMyJLX05dp0Zr6XhH4NYy8sV60Le572YWnPbSTNAqboSNVs VVgA== MIME-Version: 1.0 X-Received: by 10.112.50.109 with SMTP id b13mr8703015lbo.47.1375697115990; Mon, 05 Aug 2013 03:05:15 -0700 (PDT) Received: by 10.112.132.201 with HTTP; Mon, 5 Aug 2013 03:05:15 -0700 (PDT) In-Reply-To: References: <50364644.1060302@lerdorf.com> <5039D249.30707@sugarcrm.com> <503A968A.4070206@sugarcrm.com> <51FEEEAF.1070705@sugarcrm.com> <51FEF5AA.5060409@sugarcrm.com> Date: Mon, 5 Aug 2013 11:05:15 +0100 Message-ID: To: Yasuo Ohgaki Cc: Stas Malyshev , PHP Internals Content-Type: multipart/alternative; boundary=001a11336ce2ead14d04e330712a Subject: Re: [PHP-DEV] Session Id Collisions From: arraypad@gmail.com (Arpad Ray) --001a11336ce2ead14d04e330712a Content-Type: text/plain; charset=ISO-8859-1 Hi Yasuo, On Mon, Aug 5, 2013 at 10:50 AM, Yasuo Ohgaki wrote: > On Mon, Aug 5, 2013 at 6:22 PM, Arpad Ray wrote: > >> I thought we were in agreement about doing this properly in PHP.next? My >> arguments against this version of the patch still stand: > > > We had long discussion and decided to apply maintained branches > as security enhancement more than a year ago. We also planned to > apply the patch into 5.3 originally, but 5.3 is security fix only now. > > Anyway, if users are resetting session id properly, they are protected > against session adoption attacks. However, users are not protect their > apps properly, then they are at the risk of session adoption. This fix is > rather important for PHP, since there are many setups that share > PHP with many apps. That's the reason why we decided to apply > this patch into maintained branches. > > PHP web server admins should feel much safer than before with this > feature. > I'm not against the idea in principle but still think having a security feature which just quietly fails if you're not using one of two modified handlers is really not good. I also think there's no great rush to add this, because as you say, it can be protected against in userland too. I would much rather have a robust, clean solution even if we have to wait until php.next for it. Arpad --001a11336ce2ead14d04e330712a--