Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72057 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 10346 invoked from network); 3 Feb 2014 08:23:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 08:23:26 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.123 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 108.166.43.123 smtp123.ord1c.emailsrvr.com Linux 2.6 Received: from [108.166.43.123] ([108.166.43.123:53997] helo=smtp123.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 48/16-15628-DF15FE25 for ; Mon, 03 Feb 2014 03:23:26 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp8.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 7EACE1A0B49; Mon, 3 Feb 2014 03:23:23 -0500 (EST) X-Virus-Scanned: OK Received: by smtp8.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 1E0D81A0B3F; Mon, 3 Feb 2014 03:23:23 -0500 (EST) Message-ID: <52EF51FA.4000502@sugarcrm.com> Date: Mon, 03 Feb 2014 00:23:22 -0800 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Yasuo Ohgaki CC: "internals@lists.php.net" References: <52ED7AC8.6080703@sugarcrm.com> <52EDF03C.5080201@sugarcrm.com> <52EE1D2E.8060309@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > I see some users are generating unsafe session ID. Purpose of change is > not to generate insecure ID when user want some prefix in session ID. What's "insecure session ID" and how it is related to the matter we are discussing? > Yes. > Currently, if 'foo' is not there already, session_id('foo') does not set > session ID, but creates new random session ID when use_strice_mode=on. > > string session_id(string $prefix_or_id [, bool $use_prefix=FALSE]); > > $use_prefix=TRUE will bypass use_strict_mode=on. I still don't understand what use_prefix has to do with secure session and why use_prefix would bypass strict mode. Something is missing here for me. Could you give some more detailed explanation of what you're trying to do here? > As discussed in other thread, mcrypt_create_iv() is good one, but > it has some limitations. That's the reason why I think it would be > better to have function that generates secure random ID some how. We have two functions that generate random sequences - one in openssl and one in mcrypt. Why we need a third one? > Anyway, it is time to compile openssl module by default. IMHO. Why we must control what the user compiles? The users that know what they're doing will compile it anyway, the users that don't will use distros which couldn't care less about our defaults and build all extensions separately anyway. I don't see which problem you're trying to fix here. > It makes security a lot simpler/easier for both users and internal > developers. What exactly is hard now but becomes easier? Typing --with-openssl is not hard. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227