Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:68375 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94867 invoked from network); 5 Aug 2013 10:10:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Aug 2013 10:10:57 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.181 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.181 mail-lb0-f181.google.com Received: from [209.85.217.181] ([209.85.217.181:48066] helo=mail-lb0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 63/2E-06453-13A7FF15 for ; Mon, 05 Aug 2013 06:10:57 -0400 Received: by mail-lb0-f181.google.com with SMTP id o10so1910821lbi.40 for ; Mon, 05 Aug 2013 03:10:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=ArgdssVR74R6Qgor8+ndgfT9P258GUrTpHKzJAM9F34=; b=I80fCCPiiOWHc0+7/IitYCwDcJv38z4gmqWYpW7WH5m5jRdsfnHWi30KdsEfz0gM8o nZquFJfG+axN4f0HSle95mmVL/PRvSrMbV+vHR8qizjM6N8qgUIqvX9SgW4GusmgWgeo bBPsRzePQ/2PmyG5gOJt2yF/GCVeBwnkqkxgT0ujuPSlrVPGFLWEO3gbhlxiXyw5Za1S TSJsLu9NVpCFrYrdO/0y6WO/cWX2WjZ+1cNPinyYhQlCpFffuV6HVCxI2QDvJcrqkVSA bW6pevVxeARHSFAlZRF3oNWkH2/KgFMV1XuDm4xJeV3ASAZxGL/FE1+SWVuTvknbCyxG ClyQ== X-Received: by 10.112.51.101 with SMTP id j5mr1247492lbo.17.1375697454143; Mon, 05 Aug 2013 03:10:54 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.127.233 with HTTP; Mon, 5 Aug 2013 03:10:14 -0700 (PDT) In-Reply-To: References: <50364644.1060302@lerdorf.com> <5039D249.30707@sugarcrm.com> <503A968A.4070206@sugarcrm.com> <51FEEEAF.1070705@sugarcrm.com> <51FEF5AA.5060409@sugarcrm.com> Date: Mon, 5 Aug 2013 19:10:14 +0900 X-Google-Sender-Auth: S-6N73_IWSq9gxe2fSvhUNu9g1o Message-ID: To: Arpad Ray Cc: Stas Malyshev , PHP Internals Content-Type: multipart/alternative; boundary=001a1133646012a05604e330864a Subject: Re: [PHP-DEV] Session Id Collisions From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1133646012a05604e330864a Content-Type: text/plain; charset=UTF-8 Hi Arpad, On Mon, Aug 5, 2013 at 7:05 PM, Arpad Ray wrote: > I'm not against the idea in principle but still think having a security > feature which just quietly fails if you're not using one of two modified > handlers is really not good. > > I also think there's no great rush to add this, because as you say, it can > be protected against in userland too. > > I would much rather have a robust, clean solution even if we have to wait > until php.next for it. > As I wrote, we already had long discussion a year ago and decided to include maintained branches. This issue should be fixed 8 years ago. It's already too late to adopt IMHO. If you would like to know the details of risks, please refer to the RFC. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1133646012a05604e330864a--