Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:68392
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43823 invoked from network); 5 Aug 2013 19:58:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Aug 2013 19:58:24 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.177 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.177 mail-lb0-f177.google.com  
Received: from [209.85.217.177] ([209.85.217.177:65417] helo=mail-lb0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5C/17-06453-FD300025 for <internals@lists.php.net>; Mon, 05 Aug 2013 15:58:24 -0400
Received: by mail-lb0-f177.google.com with SMTP id r11so2373059lbv.22
        for <internals@lists.php.net>; Mon, 05 Aug 2013 12:58:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=kj5mw7Q220N9LUYBJr5MPLuOhunV84HXA+oDXSbkxeU=;
        b=iGlObkh1uupp17sli8M41oTxjuc5UXS3BjTlDpj+DyGdWhq1My5Ft2LfLOl/kO6hH/
         mQ1mvCCBoWaS39FMu0XmYt4PbgYmaBb2aN3J41NDmKEjrp2tJckld3JTkrV8mbj1ClQa
         ot6IziG3k26ZXrgG7bslFkgu5Cm5VnfIqJ1+98HJkSOIGE6cCi2U4tbaOqCfnxzeruOv
         w0EnIsD0dALTM/Q/gme2UPOce9XVSefpiUnJ+qBJekBWOWDmtTd3edeHw9ba/QvU9Igb
         rGEP2NBNe1tMztEIhSv0GFJnNQU1wYanqqWMgc8JkVAk/9GsxAP2pXXT4GtJKIVcciyr
         eHDw==
X-Received: by 10.152.36.198 with SMTP id s6mr5873281laj.67.1375732700584;
 Mon, 05 Aug 2013 12:58:20 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.127.233 with HTTP; Mon, 5 Aug 2013 12:57:40 -0700 (PDT)
In-Reply-To: <CA+p1TcYe3=hSWXN1OTGai4u+PvBx1++6uBKm2GjEyOSzaSQx0Q@mail.gmail.com>
References: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
 <CAGa2bXZ3pYiO5Lfn5NS-vuPBk_X6SUsr6Qsswya6mx0S3SjgeQ@mail.gmail.com>
 <CAGa2bXY-+B-_-3N2=VYy7rJB-eXF0nzrGA-eSJmM+O87qDrx-Q@mail.gmail.com>
 <51FEEEAF.1070705@sugarcrm.com> <51FEF5AA.5060409@sugarcrm.com>
 <CAGa2bXY0f+vveuRi5hbtfk2d2jn80zAwg0611nqEHXuzNJXBWA@mail.gmail.com>
 <CA+p1TcaEth-KAQEdm9vufs5urky00DBqg1Lg2yHibErb1vWrrw@mail.gmail.com>
 <CAGa2bXbYgQ1wVUQOq1=0MQQ7g7V+UonLFmMO5vQCJxTDFsLRkA@mail.gmail.com>
 <CA+p1TcaQtT3nm+rqhArfu0AFsNBTr2u_-KXjd6A2E6HVj2r_tQ@mail.gmail.com>
 <CAGa2bXb50teO0UgpsNdwWdCkv=+2MAJAw0VLfPu0T9dDRbU1ZA@mail.gmail.com>
 <CA+p1TcZ=eRmJLcGS430rrA_r6xOFvgj18dqVb5_zJQy0_TiEVw@mail.gmail.com>
 <CAGa2bXY-u8SDqeQpLuZY4yfej3VMWnF11FW+1m4Lnh3r9CUUkw@mail.gmail.com>
 <CA+p1Tcb8umQgn34bYsZL=UTGGPu3cNaaDT2zbNBDsHRrkQq-rg@mail.gmail.com>
 <CAGa2bXZJFapauPMWP7Rcmh5A5gLyjVGvKyrcXgoT_JJjsG=GBw@mail.gmail.com>
 <CA+p1Tcasmon381fb22gOJ1J1Od4q3DjxRDXOH+j_6fjGyMG4Mg@mail.gmail.com>
 <51FFFBB5.6000807@sugarcrm.com> <CA+p1TcYe3=hSWXN1OTGai4u+PvBx1++6uBKm2GjEyOSzaSQx0Q@mail.gmail.com>
Date: Tue, 6 Aug 2013 04:57:40 +0900
X-Google-Sender-Auth: T3q1y28-8tBJvAoZjzzjPCWViYI
Message-ID: <CAGa2bXZGo_0dn9Omy9Hg6mO+Q970+tEKfnfqUEDmucdP7X7QOg@mail.gmail.com>
To: Arpad Ray <arraypad@gmail.com>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0160a9cceca0db04e338bac4
Subject: Re: [PHP-DEV] Session Id Collisions
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0160a9cceca0db04e338bac4
Content-Type: text/plain; charset=UTF-8

Hi Arpad,

On Tue, Aug 6, 2013 at 4:33 AM, Arpad Ray <arraypad@gmail.com> wrote:

> Hi Stas,
>
> On Mon, Aug 5, 2013 at 8:23 PM, Stas Malyshev <smalyshev@sugarcrm.com>wrote:
>
>> > I'm not going to repeat my arguments against the committed solution yet
>> > again, but I really think we need a better one.
>>
>> You are free to propose a better one. Since this topic is being
>> discussed for almost 2 years and nobody came with anything better, as
>> far as I know, I think it is reasonable on this stage to go with what we
>> have. If you have something better that is not BC - you're welcome to
>> make a pull against master, if you have something that is better and is
>> BC - that's excellent, let's see it and if it works better, no problem
>> getting it into 5.5.
>> But as far as I see now, that is the only viable patch that we had
>> during pretty long time, so sitting and waiting that something better
>> comes along doesn't look like the best course of action. I think we
>> waited enough so that anybody who had better solution had a chance to
>> propose it and develop it, and given it is a real problem, I think at
>> least solution that works for now is a good thing to have.
>>
>
> As I've said I actually think Yasuo's original patch was a better
> approach, tackling the issue in session.c instead of leaving it up to all
> the handlers to implement. This would break BC but solves the major flaw of
> the ini setting working with some handlers and silently failing with
> others. I think it's also a cleaner approach in general.
>
> It's a real pity that missed the 5.5 boat.
>
> I'll have a think if there's a way to do this with BC, or at least to fail
> better.
>

There is "reason" that we agreed that we do not have vote for this patch.
I'll write up full description after the release, since not many people
understand true risk of session adoption vulnerable session management.
(I have to check browser behaviors again, though.)

Please wait.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e0160a9cceca0db04e338bac4--