Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72034 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 59167 invoked from network); 3 Feb 2014 02:09:12 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 02:09:12 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.48 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.48 mail-la0-f48.google.com Received: from [209.85.215.48] ([209.85.215.48:60352] helo=mail-la0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 63/D9-30967-74AFEE25 for ; Sun, 02 Feb 2014 21:09:11 -0500 Received: by mail-la0-f48.google.com with SMTP id mc6so4971996lab.35 for ; Sun, 02 Feb 2014 18:09:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=x72Q6NVQDVbLWwmP6S+S2YpiAuKuYhBKTulG+UU7PCk=; b=hGjH2OhOpbkFqWGEHaUo1ZZoEB8sLnOtI3gFZ9TyOEXXPHws4B9C/oAa3zRYECNuqH cHo27UFxcesHY4Ho4MvDfdi/ovTvZtLmBOU0Di3E/blzafclsCqYUdiZlSO6rMsugVtH cVjBt/9zPFyQaMcy8M4hIiN3+W7q866VpQVZmQlGoQiuL4NQHGuQ2+AgRon4WSDXMDly seLWqyCPKA11HyeL7PJ8XSyrE9vO4R/ojocladULqC7vQzxD4YO4vkdHD6A78cF4PR+J oyeIBiyJAKIf8e+pFdtXBDRJ6AUUVZMIFf5BVTGaoeykBGMqii51k8OqP727dselq+nO 5+Ig== X-Received: by 10.152.4.68 with SMTP id i4mr7634348lai.8.1391393348257; Sun, 02 Feb 2014 18:09:08 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Sun, 2 Feb 2014 18:08:28 -0800 (PST) In-Reply-To: <52EE1D2E.8060309@sugarcrm.com> References: <52ED7AC8.6080703@sugarcrm.com> <52EDF03C.5080201@sugarcrm.com> <52EE1D2E.8060309@sugarcrm.com> Date: Mon, 3 Feb 2014 11:08:28 +0900 X-Google-Sender-Auth: J-WZE9c7ynZFoQwhiZBFgeIbjG4 Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e01493d46440cc904f1770240 Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e01493d46440cc904f1770240 Content-Type: text/plain; charset=UTF-8 Hi Stas, On Sun, Feb 2, 2014 at 7:25 PM, Stas Malyshev wrote: > > It could have signature like > > > > string session_id(string $prefix_or_id [, bool $use_prefix]); > > I'm not sure what prefix has to do with this RFC. Didn't we talk about > secure setting? Where the prefix came from and why we need the prefix at > all? > I see some users are generating unsafe session ID. Purpose of change is not to generate insecure ID when user want some prefix in session ID. > > > We have to decide what we will do about use_strict_mode behavior. > > It may be easier automatically set use_strict_mode=FALSE. > > I'm not sure I understand. So if strict mode is on, when I do > session_id('foo') and session with ID foo does not exist, what would > happen? Would session_start() create it or would it generate new ID, > effectively ignoring my session_id command silently? > Yes. Currently, if 'foo' is not there already, session_id('foo') does not set session ID, but creates new random session ID when use_strice_mode=on. string session_id(string $prefix_or_id [, bool $use_prefix=FALSE]); $use_prefix=TRUE will bypass use_strict_mode=on. > > > I would like to expand uniqid() or create new function that returns > > secure random string, so session_create_id() is not mandatory. > > Don't we have such function already? > http://us1.php.net/manual/en/function.mcrypt-create-iv.php As discussed in other thread, mcrypt_create_iv() is good one, but it has some limitations. That's the reason why I think it would be better to have function that generates secure random ID some how. Anyway, it is time to compile openssl module by default. IMHO. It makes security a lot simpler/easier for both users and internal developers. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e01493d46440cc904f1770240--