Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:68385
Return-Path: <arraypad@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 24092 invoked from network); 5 Aug 2013 16:05:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Aug 2013 16:05:02 -0000
Authentication-Results: pb1.pair.com smtp.mail=arraypad@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=arraypad@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.182 as permitted sender)
X-PHP-List-Original-Sender: arraypad@gmail.com
X-Host-Fingerprint: 209.85.217.182 mail-lb0-f182.google.com  
Received: from [209.85.217.182] ([209.85.217.182:35274] helo=mail-lb0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C2/73-06453-92DCFF15 for <internals@lists.php.net>; Mon, 05 Aug 2013 12:05:02 -0400
Received: by mail-lb0-f182.google.com with SMTP id v20so2189958lbc.41
        for <internals@lists.php.net>; Mon, 05 Aug 2013 09:04:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Ghx7afKH6JJfP5GuSGXwQHzQYAfb3Gau2kRcVsMFFG8=;
        b=ZEw4ssDmw5aGp/b6cc2g+/6r8uw+kdjKwbKfR9AyBgERVGsYg8sfddyrJSRn3Opq/N
         OFiB/6VCzGFxH6N1mZHBS7hfy0zpXVcvYEYuZ5pqP9WOyZ649z22xxXJoUmt83xtpojc
         ISb4nuhB2FReI8SNDXcWclGWLcimW3/3TRm+3rCNYZEEjugdHWz85PzInZhsa8pwFhHf
         mUq1athCNcUk7C5YGR9RzoFHM6qthCm5ewa2shvsRSKs/pf3CsMzJZHH4IgwpKa47hms
         X/K9OUi+hFsne6vGzJQBZ7jFv6W22X2nuon+XXwU0nr7U9SkihqZtmmYemVeplzRp7/s
         sVkQ==
MIME-Version: 1.0
X-Received: by 10.152.22.65 with SMTP id b1mr8914740laf.46.1375718693653; Mon,
 05 Aug 2013 09:04:53 -0700 (PDT)
Received: by 10.112.132.201 with HTTP; Mon, 5 Aug 2013 09:04:53 -0700 (PDT)
In-Reply-To: <CAGa2bXY-u8SDqeQpLuZY4yfej3VMWnF11FW+1m4Lnh3r9CUUkw@mail.gmail.com>
References: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
	<50364644.1060302@lerdorf.com>
	<CAJRMtAH=-B8+M6+kMrpKQZ=Yg2ASa5iv=JCUbjvHkw0UFmw73w@mail.gmail.com>
	<CAL+t6cHj4p=RLwSRGX789w-CswZQd_XtuL364KRBsc66ROdmJA@mail.gmail.com>
	<CAGa2bXY2+kDx32evFmFqUD3P1L6x=PypnVJTuj_mP2853QWQKw@mail.gmail.com>
	<5039D249.30707@sugarcrm.com>
	<CAGa2bXZso_S3fOUogqMwiTYJKtK3KZH5Fs8GZApxMnT+DwgpbQ@mail.gmail.com>
	<CAGa2bXauBFja+BJcLxiE5t5rnfna1QDt3iTRdYr04a1ExFz7+A@mail.gmail.com>
	<503A968A.4070206@sugarcrm.com>
	<CAGa2bXaMYxD3-mbATK0WfEryVEvjHE8m2RnujTauLN8t1S+H6w@mail.gmail.com>
	<CAGa2bXZ3pYiO5Lfn5NS-vuPBk_X6SUsr6Qsswya6mx0S3SjgeQ@mail.gmail.com>
	<CAGa2bXY-+B-_-3N2=VYy7rJB-eXF0nzrGA-eSJmM+O87qDrx-Q@mail.gmail.com>
	<51FEEEAF.1070705@sugarcrm.com>
	<51FEF5AA.5060409@sugarcrm.com>
	<CAGa2bXY0f+vveuRi5hbtfk2d2jn80zAwg0611nqEHXuzNJXBWA@mail.gmail.com>
	<CA+p1TcaEth-KAQEdm9vufs5urky00DBqg1Lg2yHibErb1vWrrw@mail.gmail.com>
	<CAGa2bXbYgQ1wVUQOq1=0MQQ7g7V+UonLFmMO5vQCJxTDFsLRkA@mail.gmail.com>
	<CA+p1TcaQtT3nm+rqhArfu0AFsNBTr2u_-KXjd6A2E6HVj2r_tQ@mail.gmail.com>
	<CAGa2bXb50teO0UgpsNdwWdCkv=+2MAJAw0VLfPu0T9dDRbU1ZA@mail.gmail.com>
	<CA+p1TcZ=eRmJLcGS430rrA_r6xOFvgj18dqVb5_zJQy0_TiEVw@mail.gmail.com>
	<CAGa2bXY-u8SDqeQpLuZY4yfej3VMWnF11FW+1m4Lnh3r9CUUkw@mail.gmail.com>
Date: Mon, 5 Aug 2013 17:04:53 +0100
Message-ID: <CA+p1Tcb8umQgn34bYsZL=UTGGPu3cNaaDT2zbNBDsHRrkQq-rg@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0158b92a0bd2a904e335788c
Subject: Re: [PHP-DEV] Session Id Collisions
From: arraypad@gmail.com (Arpad Ray)

--089e0158b92a0bd2a904e335788c
Content-Type: text/plain; charset=ISO-8859-1

Hi Yasuo,

On Mon, Aug 5, 2013 at 11:38 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> On Mon, Aug 5, 2013 at 7:26 PM, Arpad Ray <arraypad@gmail.com> wrote:
>
>> Could you point me to where this was decided please? I don't see a vote
>> or anything like a consensus in the previous threads.
>
>
> There isn't vote for this RFC since this is security.
> It's also a consensus.
>

While this is a security concern, it's not a straightforward bug fix. When
there's contention in how to fix it, I think there really should be a vote.

I've read the other threads and I don't think has been any clear consensus
about this issue and I, for one, am not happy to have what I feel is an
inferior solution committed while it's still being discussed.

To reiterate: this ini setting will quietly fail when using a handler which
hasn't been patched, like memcached, or a custom handler. That's arguably
worse than not having the setting at all since it could give people a false
sense of security.

Arpad

--089e0158b92a0bd2a904e335788c--