Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71577 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 21058 invoked from network); 26 Jan 2014 01:09:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Jan 2014 01:09:11 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com Received: from [209.85.215.42] ([209.85.215.42:57753] helo=mail-la0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D4/96-19300-53064E25 for ; Sat, 25 Jan 2014 20:09:10 -0500 Received: by mail-la0-f42.google.com with SMTP id hr13so3628322lab.1 for ; Sat, 25 Jan 2014 17:09:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=LcQGz7ZaPDWhpg5MIyHaZI5TMfBOFMxZrZbPLjtL6dI=; b=VVXzeLML1UMHtFVVCjgt0WTGq+MdYv+PQC4kNP5Oykrg6T3wPWaw0q8qt9jzN963sD z1KRpA5YpfCR+8twK7wOOkLj74hxeU2qi8vrqFyv5f6UUFqPbSf8tG0PKfTg51a4iXpu 6YEWNFrfyxaJTOruUOiDSgkl2zsaRvihorQUQZcXOcJe5dqH6/tF+dW5oD+CvMXo+q7L A/cWDp4NIHuIXFBvPGXYCfzRktfMFynrOdF+6PW/HiOWT5MAaZ/SVdYeS7+QusZYhX65 AKqMmyyfADrD+zf6RntlXqph7tm6FN+X34ZpWvCvomNMP0t1ob9NoZfwdcFGIJfiCYrN UHkg== X-Received: by 10.152.44.225 with SMTP id h1mr13712504lam.22.1390698546221; Sat, 25 Jan 2014 17:09:06 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.132.134 with HTTP; Sat, 25 Jan 2014 17:08:26 -0800 (PST) In-Reply-To: References: <52E319F2.8080705@sugarcrm.com> <52E3959D.4000103@sugarcrm.com> <52E45A5D.7020807@sugarcrm.com> Date: Sun, 26 Jan 2014 10:08:26 +0900 X-Google-Sender-Auth: 05zCcKJevUR22Zcsh9tjHNyXHHg Message-ID: To: Stas Malyshev Cc: Andrey Andreev , PHP Internals Content-Type: multipart/alternative; boundary=089e0160b7bed6556904f0d53c82 Subject: Re: [PHP-DEV] Session IP address matching From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0160b7bed6556904f0d53c82 Content-Type: text/plain; charset=UTF-8 Hi Stas, On Sun, Jan 26, 2014 at 10:00 AM, Yasuo Ohgaki wrote: > On Sun, Jan 26, 2014 at 9:44 AM, Stas Malyshev wrote: > >> > which is really bad thing to do. session_create_id() generate ID using >> > the same code PHP generates ID which is much secure than above and >> > supposed to be faster than user land script. >> >> I agree that exposing the ID creation function is a good addition >> (actually if it was available I'd probably use it in other contexts >> where I need a random token, not necessarily a session ID as such). >> Maybe we need even more generic function and have session reuse that >> code, too. > > > Although I've written it already, I appreciate any comments for > improvement. Do you have idea for session_create_id()? > Perhaps, more generic function name and/or move to ext/standard? > An idea for session_id(). It would be better to allow session_id() to set SID regardless of use_strict_mode. It's programmer's intention. Should I make this change from 5.5? It's nicer than now. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0160b7bed6556904f0d53c82--