Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71982 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51388 invoked from network); 2 Feb 2014 09:51:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2014 09:51:03 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.182 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.182 mail-qc0-f182.google.com Received: from [209.85.216.182] ([209.85.216.182:55218] helo=mail-qc0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 27/75-30967-5051EE25 for ; Sun, 02 Feb 2014 04:51:01 -0500 Received: by mail-qc0-f182.google.com with SMTP id c9so9614092qcz.27 for ; Sun, 02 Feb 2014 01:50:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=2udlxxVrOgLqlFuVLeXvB0TFkn7v17Lq24CXnf05mzQ=; b=NPFQH2/0f9ueuuttdpEU9IN53dCCUh7ay64y/1AVHyRkscPnl8Ji3xj4f3jIywvJm0 XsnwbUisPOtUPsS9tGrFMr9mNm/1pk4nfzqW6uCp4moNjiE5BnrH4Q6GZMltnXN/Q8/I /Qz7iRAQfYmfHlKC6RpSpNDnQZl1oBc3lnmMf1STBmv9wWwzESgJI5ycbc0W86N36pqC fIrIsxrE39wPJnmURhXxGJ7m8F+AdhtiUWhWhP01sPLWwzIU2NrvdcBT6PZqyU24AvUV 8XNUQGBYmafvKvP/2TTZTInPsDmY5gRLNrBkYasW+XU8JoEgu0kne8n2+otLfXuYxKaM E4tA== X-Received: by 10.224.121.137 with SMTP id h9mr36348133qar.55.1391334658630; Sun, 02 Feb 2014 01:50:58 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.224.2.194 with HTTP; Sun, 2 Feb 2014 01:50:17 -0800 (PST) In-Reply-To: <52EDF03C.5080201@sugarcrm.com> References: <52ED7AC8.6080703@sugarcrm.com> <52EDF03C.5080201@sugarcrm.com> Date: Sun, 2 Feb 2014 18:50:17 +0900 X-Google-Sender-Auth: A7ezx9zV2ZhQvQ6dkx5MFhBbkGg Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0160c242176b7104f1695867 Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0160c242176b7104f1695867 Content-Type: text/plain; charset=UTF-8 On Sun, Feb 2, 2014 at 4:14 PM, Stas Malyshev wrote: > > > To set user defined session ID, user has to do > > > > ini_set('session.use_strict_mode', FALSE); > > session_id(session_create_id('SOME-USEFUL-PREFIX')); > > > > With this change, user could do > > > > session_id(session_create_id('SOME-USEFUL-PREFIX')); > > I think having parameter on session_id is preferable. What happens if > this is not set and you do session_id('blah') - does it start the > session? What is returned from session_id as the result? It could have signature like string session_id(string $prefix_or_id [, bool $use_prefix]); and session_id('SOME-PREFIX-', TRUE); // return SOME-PREFIX-xxxxxxxxxxxxxxxxxxxxx session_id() returns current PS(id) always. When there is active session, session_id('something') sets PS(id). It set PS(id) and it will be used as session ID if session is closed and open again. We have to decide what we will do about use_strict_mode behavior. It may be easier automatically set use_strict_mode=FALSE. I would like to expand uniqid() or create new function that returns secure random string, so session_create_id() is not mandatory. I agree string session_id(string $prefix_or_id [, bool $use_prefix]); simpler. Simpler is better :) Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0160c242176b7104f1695867--