Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:68376 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 97038 invoked from network); 5 Aug 2013 10:27:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Aug 2013 10:27:01 -0000 Authentication-Results: pb1.pair.com smtp.mail=arraypad@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=arraypad@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.53 as permitted sender) X-PHP-List-Original-Sender: arraypad@gmail.com X-Host-Fingerprint: 209.85.215.53 mail-la0-f53.google.com Received: from [209.85.215.53] ([209.85.215.53:42968] helo=mail-la0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 96/8E-06453-4FD7FF15 for ; Mon, 05 Aug 2013 06:27:01 -0400 Received: by mail-la0-f53.google.com with SMTP id el20so1902265lab.40 for ; Mon, 05 Aug 2013 03:26:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jvE7mE049VkE/lEDICMKdd2jFRURolXrO+4usfMOwbk=; b=XEQAkRvwou5ySJ19xH33RBMYZi6UDRnO/OVvRuXGw4tt3vQfBVJ2eVl7XmTOVgPF5h unfxD6dcwIhAtUc/ufukWLs4Kan8w0E+7F9W/1c1KhM0PBuNAUnreHflQXjAF3WTEevP fsvQaOfCV8NAB+fCY60f+RLznSqRvQ/JskjndVDtkp86n2zsYvBGUMtiOXAf27YdyXge nlZOPDlLSBhuiIT4LJs/OOlcoTLBnKa8ud6ILAV1L20cU/Xq2Jh4Z2sMpVLO4XRwRw8h dlFvyQhAhFl5bRmuyBJh2WImcrRz1RlMpw8w9ifQPigwfpJA4VUMndC6LK10o0ColDp3 OEmw== MIME-Version: 1.0 X-Received: by 10.152.23.4 with SMTP id i4mr618330laf.37.1375698418244; Mon, 05 Aug 2013 03:26:58 -0700 (PDT) Received: by 10.112.132.201 with HTTP; Mon, 5 Aug 2013 03:26:58 -0700 (PDT) In-Reply-To: References: <50364644.1060302@lerdorf.com> <5039D249.30707@sugarcrm.com> <503A968A.4070206@sugarcrm.com> <51FEEEAF.1070705@sugarcrm.com> <51FEF5AA.5060409@sugarcrm.com> Date: Mon, 5 Aug 2013 11:26:58 +0100 Message-ID: To: Yasuo Ohgaki Cc: Stas Malyshev , PHP Internals Content-Type: multipart/alternative; boundary=089e0160b87a89a5c304e330bf53 Subject: Re: [PHP-DEV] Session Id Collisions From: arraypad@gmail.com (Arpad Ray) --089e0160b87a89a5c304e330bf53 Content-Type: text/plain; charset=ISO-8859-1 Hi Yasuo, On Mon, Aug 5, 2013 at 11:10 AM, Yasuo Ohgaki wrote: > > On Mon, Aug 5, 2013 at 7:05 PM, Arpad Ray wrote: > >> I'm not against the idea in principle but still think having a security >> feature which just quietly fails if you're not using one of two modified >> handlers is really not good. >> >> I also think there's no great rush to add this, because as you say, it >> can be protected against in userland too. >> >> I would much rather have a robust, clean solution even if we have to wait >> until php.next for it. >> > > As I wrote, we already had long discussion a year ago and decided to > include maintained branches. > Could you point me to where this was decided please? I don't see a vote or anything like a consensus in the previous threads. > This issue should be fixed 8 years ago. It's already too late to adopt > IMHO. > > If you would like to know the details of risks, please refer to the RFC. > I understand the risk and your solution, I just think there's a better solution (more like your original patch if I recall correctly) and that we shouldn't rush to apply an inferior solution just because the issue is so old. Arpad --089e0160b87a89a5c304e330bf53--