Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72073 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37840 invoked from network); 3 Feb 2014 10:43:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 10:43:26 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.51 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.216.51 mail-qa0-f51.google.com Received: from [209.85.216.51] ([209.85.216.51:65312] helo=mail-qa0-f51.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id BB/50-35654-DC27FE25 for ; Mon, 03 Feb 2014 05:43:25 -0500 Received: by mail-qa0-f51.google.com with SMTP id f11so9859689qae.10 for ; Mon, 03 Feb 2014 02:43:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=FP138nCa/n2IH/IEBuqkCFXiTSkTNjyOWlOvPhwkeuw=; b=yFoC/Yf/DghDyms0H3UDORAQHDW1lqnXbAqeZ4ZOiVyF2LqS4uffxAGR45Ow87dSS5 YnILDjxd9ayuk9C6ZD/XDjZY7DsUFtzuEXnyShgdl6Zti2i25c0bZBl1HfyW8Or+TMCg 4TB7wsfsLI9YWwoHXUm0qFYl20jG598xj+pkLONROonBPapa9/D/JCA92uAbtV5Xsqg3 X6diEs28kUmqY9jNhiPcE/+1QYs+a6rNWKTdaTJav7S7Hrn6t5Y2Ue4nqkm4Oe/9lmyK SVyd6A5AKlgt6hae01EZM1vTt6mGZUcw0BjIdzM8pq2eYbjGO8syDV+gd/AiwBxMvSbt ud2g== MIME-Version: 1.0 X-Received: by 10.224.11.196 with SMTP id u4mr5917871qau.4.1391424202913; Mon, 03 Feb 2014 02:43:22 -0800 (PST) Received: by 10.140.18.129 with HTTP; Mon, 3 Feb 2014 02:43:22 -0800 (PST) Received: by 10.140.18.129 with HTTP; Mon, 3 Feb 2014 02:43:22 -0800 (PST) In-Reply-To: References: <52ED7AC8.6080703@sugarcrm.com> <52EDF03C.5080201@sugarcrm.com> <52EE1D2E.8060309@sugarcrm.com> <52EF51FA.4000502@sugarcrm.com> Date: Mon, 3 Feb 2014 11:43:22 +0100 Message-ID: To: Yasuo Ohgaki Cc: PHP internals , Stas Malyshev Content-Type: multipart/alternative; boundary=089e013cba9658bd2004f17e3138 Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default From: pierre.php@gmail.com (Pierre Joye) --089e013cba9658bd2004f17e3138 Content-Type: text/plain; charset=UTF-8 On Feb 3, 2014 11:36 AM, "Yasuo Ohgaki" wrote: > > Hi Stas, > > On Mon, Feb 3, 2014 at 5:23 PM, Stas Malyshev wrote: > > > > I see some users are generating unsafe session ID. Purpose of change is > > > not to generate insecure ID when user want some prefix in session ID. > > > > What's "insecure session ID" and how it is related to the matter we are > > discussing? > > > If there is not a easy way to create secure session ID (Currently, we > don't), > users may generate session ID by their own which may be insecure. That's exactly the point. Sessions have options to make them more secure (entropy, hash). Maybe the default should be improved. As far as I remember it is not possible anymore to build php without providing a valid entropy source. Cheers, Pierre --089e013cba9658bd2004f17e3138--