Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:68388
Return-Path: <arraypad@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36793 invoked from network); 5 Aug 2013 19:17:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Aug 2013 19:17:14 -0000
Authentication-Results: pb1.pair.com header.from=arraypad@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=arraypad@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.48 as permitted sender)
X-PHP-List-Original-Sender: arraypad@gmail.com
X-Host-Fingerprint: 209.85.215.48 mail-la0-f48.google.com  
Received: from [209.85.215.48] ([209.85.215.48:62606] helo=mail-la0-f48.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B6/95-06453-93AFFF15 for <internals@lists.php.net>; Mon, 05 Aug 2013 15:17:13 -0400
Received: by mail-la0-f48.google.com with SMTP id hi8so2368534lab.35
        for <internals@lists.php.net>; Mon, 05 Aug 2013 12:17:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=7+IjXuompBeTeXVXvfmrFEuLjT8jQxSju2zh+ISsUyM=;
        b=HdVba5MjVWh/J74NVezKCZJSG6MXzwPZQ1ja0TCCginebDq3CXbKKf02cwpfU74PfB
         jY/irDhyONBeAcrnnohtLA0fKuyOmr8eS8PWPw/B91I+y3q5xulf+jdCPpuEihtE4ya/
         vc9mZmysajKZOrAXADZ3Th7/jufdeJ416nfybmppdo1JOtB3j8r1R3QJtLeymPvYLbQ5
         irXII6TtN3N/41eg+y8k/8CiXtGQjVuEFlpzrvAZfwGE80NpEJNCn+fqYjytSZ/DXobx
         GoW4V47Xj6l6XdWWnr0aVO8yjynwzvEFOtnT3x70e05goMPmylzc9yFQjkVUt2pgVIRC
         w3kw==
MIME-Version: 1.0
X-Received: by 10.112.150.4 with SMTP id ue4mr9504000lbb.8.1375730230450; Mon,
 05 Aug 2013 12:17:10 -0700 (PDT)
Received: by 10.112.132.201 with HTTP; Mon, 5 Aug 2013 12:17:10 -0700 (PDT)
In-Reply-To: <CAGa2bXZJFapauPMWP7Rcmh5A5gLyjVGvKyrcXgoT_JJjsG=GBw@mail.gmail.com>
References: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
	<50364644.1060302@lerdorf.com>
	<CAJRMtAH=-B8+M6+kMrpKQZ=Yg2ASa5iv=JCUbjvHkw0UFmw73w@mail.gmail.com>
	<CAL+t6cHj4p=RLwSRGX789w-CswZQd_XtuL364KRBsc66ROdmJA@mail.gmail.com>
	<CAGa2bXY2+kDx32evFmFqUD3P1L6x=PypnVJTuj_mP2853QWQKw@mail.gmail.com>
	<5039D249.30707@sugarcrm.com>
	<CAGa2bXZso_S3fOUogqMwiTYJKtK3KZH5Fs8GZApxMnT+DwgpbQ@mail.gmail.com>
	<CAGa2bXauBFja+BJcLxiE5t5rnfna1QDt3iTRdYr04a1ExFz7+A@mail.gmail.com>
	<503A968A.4070206@sugarcrm.com>
	<CAGa2bXaMYxD3-mbATK0WfEryVEvjHE8m2RnujTauLN8t1S+H6w@mail.gmail.com>
	<CAGa2bXZ3pYiO5Lfn5NS-vuPBk_X6SUsr6Qsswya6mx0S3SjgeQ@mail.gmail.com>
	<CAGa2bXY-+B-_-3N2=VYy7rJB-eXF0nzrGA-eSJmM+O87qDrx-Q@mail.gmail.com>
	<51FEEEAF.1070705@sugarcrm.com>
	<51FEF5AA.5060409@sugarcrm.com>
	<CAGa2bXY0f+vveuRi5hbtfk2d2jn80zAwg0611nqEHXuzNJXBWA@mail.gmail.com>
	<CA+p1TcaEth-KAQEdm9vufs5urky00DBqg1Lg2yHibErb1vWrrw@mail.gmail.com>
	<CAGa2bXbYgQ1wVUQOq1=0MQQ7g7V+UonLFmMO5vQCJxTDFsLRkA@mail.gmail.com>
	<CA+p1TcaQtT3nm+rqhArfu0AFsNBTr2u_-KXjd6A2E6HVj2r_tQ@mail.gmail.com>
	<CAGa2bXb50teO0UgpsNdwWdCkv=+2MAJAw0VLfPu0T9dDRbU1ZA@mail.gmail.com>
	<CA+p1TcZ=eRmJLcGS430rrA_r6xOFvgj18dqVb5_zJQy0_TiEVw@mail.gmail.com>
	<CAGa2bXY-u8SDqeQpLuZY4yfej3VMWnF11FW+1m4Lnh3r9CUUkw@mail.gmail.com>
	<CA+p1Tcb8umQgn34bYsZL=UTGGPu3cNaaDT2zbNBDsHRrkQq-rg@mail.gmail.com>
	<CAGa2bXZJFapauPMWP7Rcmh5A5gLyjVGvKyrcXgoT_JJjsG=GBw@mail.gmail.com>
Date: Mon, 5 Aug 2013 20:17:10 +0100
Message-ID: <CA+p1Tcasmon381fb22gOJ1J1Od4q3DjxRDXOH+j_6fjGyMG4Mg@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b34382cb1623b04e33827f3
Subject: Re: [PHP-DEV] Session Id Collisions
From: arraypad@gmail.com (Arpad Ray)

--047d7b34382cb1623b04e33827f3
Content-Type: text/plain; charset=ISO-8859-1

Hi Yasuo,

On Mon, Aug 5, 2013 at 7:46 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray <arraypad@gmail.com> wrote:
>
>>  I think there really should be a vote.
>
>
> This means you don't really understand the true risk of this vulnerability.
> It allows permanent session ID fixation. This is CVE assigned
> vulnerability.
> Details are explained in the RFC and I don't want to explain fully in ML
> again.
> (We might discussed the details in security@php.net, but I think I wrote
> enough info)
>
> Please refer to the RFC.
>

I do really understand the risk... I'm saying there should be a vote not on
whether or not to fix it, but on how to fix it. Ideally we can figure out
something we're all happy with and don't need to vote, but while we so
evidently disagree, I think we do.

I'm not going to repeat my arguments against the committed solution yet
again, but I really think we need a better one.

Arpad

--047d7b34382cb1623b04e33827f3--