Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72070
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32520 invoked from network); 3 Feb 2014 10:19:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 10:19:32 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.176 mail-lb0-f176.google.com  
Received: from [209.85.217.176] ([209.85.217.176:34582] helo=mail-lb0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 1C/13-18355-23D6FE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 05:19:31 -0500
Received: by mail-lb0-f176.google.com with SMTP id w7so5062388lbi.7
        for <internals@lists.php.net>; Mon, 03 Feb 2014 02:19:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=Oyvmj4dXwZxnxaOyZFB/MmP3DShGT5RUxgbYI/R6igc=;
        b=Cy0G1wIYg+9tscHEX1ve4IwYpRlmPDTVKZlUeErUIZJvSSoM9kiK+7rYkWKgSy5tZP
         FH2LJsVSC5Fi9uZCAT1Rw5Uo+IFOVkaHLGS0IsCbZJFNls63h/HqFPPgQxgq1dA75hb7
         Yr//geLjsZO7rIfeTc+TQnevjZ0ExdCn0Z4pQ3rBGOSp/HRFMEErLRt/23uzihSMk3qR
         Te8tu8jsImeiD8aRkP451XNky+InbdSg0ukfkJgdX2uNIAkZOuqVnuzHxaNjMgkYlbIx
         tIV147SGGkMy4dExiqMfdTgs++smi2x37iN4+6jivVTI8BWzdhBAR6rWYhbBDJLVqxu1
         zWyw==
X-Received: by 10.152.20.134 with SMTP id n6mr28321lae.83.1391422767010; Mon,
 03 Feb 2014 02:19:27 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Mon, 3 Feb 2014 02:18:46 -0800 (PST)
In-Reply-To: <CAPhkiZxPZPatCKsCCih3YnOUmoUydk6MCvFjFB=AVvS-6bDYUQ@mail.gmail.com>
References: <CAPhkiZxPZPatCKsCCih3YnOUmoUydk6MCvFjFB=AVvS-6bDYUQ@mail.gmail.com>
Date: Mon, 3 Feb 2014 19:18:46 +0900
X-Google-Sender-Auth: lW3Ke_isVUyJHHvrjDYiQ_FlM6I
Message-ID: <CAGa2bXb1ijUNA=RNFaTDnT7JjuVjWHp1aAiFxFXbCMwQqP-GjQ@mail.gmail.com>
To: Andrey Andreev <narf@devilix.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e01493dbec296ed04f17ddbe8
Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e01493dbec296ed04f17ddbe8
Content-Type: text/plain; charset=UTF-8

Hi Andrey,

On Mon, Feb 3, 2014 at 4:31 PM, Andrey Andreev <narf@devilix.net> wrote:

> 'use_strict_mode' is supposed to generate a new session ID when the
> application receives a session cookie with an invalid (non-existing)
> session ID.
> I don't think that it should've ever changed the behavior of
> session_id() and I'd rather consider it a bug if it doesn't allow it
> to set the new session ID.
>

I can understand your opinion. Yet, it would be better for users to have
securely prefixed session ID. IMHO.

string session_id('PREFIX_', TRUE);

This does not set insecure session ID, since it only adds prefix to
generated session ID.


> 'hash_bits_per_character' has nothing to do with security and its only
> useful purpose that I could think of is maintainig BC for
> database-stored session data, where i.e. the ID used to be an md5 hash
> and and switching to sha1 would require altering the field length to
> 40. Increasing hash_bit_per_character in that case would allow a
> sha-1-sized hash to be stored in 32 characters.
> Other than that (and probably some crazy traffic volume-related
> micro-optimization), it's pretty useless.
>

Since the RFC is proposing stronger hash function as NIST suggests,
session ID needs to have longer hash bits. To reduce size of session ID,
larger hash bits is proposed. Similar reason you explained.

Some user may have limited storage size for session ID. However, it's
not a good excuse keeping weaker setting. Users need weaker settings
should set values for their own. IMHO.


> That "allow an underscore when hash_bits_per_character=6" is also not
> in the scope of security and the hash function itself wouldn't
> generate an underscore, so ... what has it got to do with anything?
>

If hash_bits_per_character=6, files save handler uses all chars for session
ID and users cannot have prefix delimiter char. User may use string offset,
though.  That's the reason why there is '_' proposal.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e01493dbec296ed04f17ddbe8--