Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69402 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12343 invoked from network); 28 Sep 2013 09:40:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Sep 2013 09:40:04 -0000 Authentication-Results: pb1.pair.com header.from=peter.e.lind@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=peter.e.lind@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.49 as permitted sender) X-PHP-List-Original-Sender: peter.e.lind@gmail.com X-Host-Fingerprint: 74.125.82.49 mail-wg0-f49.google.com Received: from [74.125.82.49] ([74.125.82.49:42611] helo=mail-wg0-f49.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CA/42-27958-2F3A6425 for ; Sat, 28 Sep 2013 05:40:03 -0400 Received: by mail-wg0-f49.google.com with SMTP id l18so3607622wgh.28 for ; Sat, 28 Sep 2013 02:40:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=a4Wf+gR3ekdmzjpuPZqtgwFQLYWe7L8haX9dAGl4Q/4=; b=sf8AmHPjIWU/fbu4kvn9uuEur+mBJMuonBDWAQUqJZDMTAaaL8VuZhqy3kr73JYvzI Ei+SXIc/UlZ551lkw1c9gL9m2+CFDkNLAb3ZFc8h8Lj0lod986GSjDK08/whif6Gs/Oi jzT5POIiwkSkQRznXxiSdDj5Iapsh5zWuBoM+Jp06XOt9+ovz//hBP3MIrd0PKIqBbo8 bFwf9M0wYAS2c/2moUCGRYdP9ljYPc4qqWAP8XcqEu9ZmS7TkiO1OkU86IwRh8ZvJO0R XTqloF2IPNRqfQWbhOcOYnOsxq2XPQWdWZIHOQrFIwg4QAVzmtTlKRGZRIKoGYKOEGXa HYqw== X-Received: by 10.180.211.111 with SMTP id nb15mr5883328wic.55.1380361199913; Sat, 28 Sep 2013 02:39:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.198.134 with HTTP; Sat, 28 Sep 2013 02:39:39 -0700 (PDT) In-Reply-To: References: Date: Sat, 28 Sep 2013 11:39:39 +0200 Message-ID: To: Madara Uchiha Cc: Yasuo Ohgaki , Leigh , Tjerk Meesters , PHP Internals Content-Type: multipart/alternative; boundary=001a11c34854fb94f804e76e6296 Subject: Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed From: peter.e.lind@gmail.com (Peter Lind) --001a11c34854fb94f804e76e6296 Content-Type: text/plain; charset=UTF-8 On 28 September 2013 11:27, Madara Uchiha wrote: > You guys are missing the point. This isn't a language level issue. I > can imagine some sort of package or a library being made, some sort of > wrapper around the current session commands, perhaps integrated into > some sort of extension. > > But it is NOT a language level issue. This isn't a problem the > language needs to solve, ESPECIALLY since userland implementation is > so trivial. > I would disagree. PHP has very low security levels by default and some WTF security issues because of default settings. It should be the other way round: high security by default that you need to actively change if you want it lowered. The problem is that the majority of PHP developers for better or worse think they can copypaste solutions to problems and forget about things after that as long as the output on their screens look ok. For many developers, security is an afterthought if even that. And you are, quite simply, NOT GOING TO CHANGE THAT IN THE FORESEEABLE FUTURE. It's not a question of whether you're right or wrong in principle - it's a simple question of statistics. You will have close to zero impact on the PHP developers, no matter how many blog articles you write. It is too large and too diverse a group. So you're stuck with two choices: accept that PHP security is lax and that as a result a lot of code will have many attack vectors, or try to change the language itself for the better. The third option of "educate" is a mirage. Note: I'm not saying this feature would be an overall benefit for the security of PHP, but the reasoning behind it is right. Regards Peter -- WWW: plphp.dk / plind.dk CV: careers.stackoverflow.com/peterlind LinkedIn: plind Twitter: kafe15 --001a11c34854fb94f804e76e6296--