Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72074 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 39742 invoked from network); 3 Feb 2014 10:48:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 10:48:43 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.169 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.169 mail-lb0-f169.google.com Received: from [209.85.217.169] ([209.85.217.169:37765] helo=mail-lb0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F1/B0-35654-A047FE25 for ; Mon, 03 Feb 2014 05:48:42 -0500 Received: by mail-lb0-f169.google.com with SMTP id q8so5321557lbi.28 for ; Mon, 03 Feb 2014 02:48:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=xPZWe+mSkfRYj3QUnD7k/yE4aCi0RcFn7W41MVFWTwg=; b=vp7aV3J7SnadGYPBglCmveyi/S11CasENBw3yjNBvD4SJVWW3P3YTMkBbcyb4tXdZZ si0NhZSs6xItMK8puHI4ItBot4jhL2hRdYb+eGVE+mOzs4rAG9Ln/8djziEC5HeQ0+L8 Qfimhi2vkloF3b2uB5TjluA9TdXW9fdFhUqLwL9F6V94btagLiiBbDuQ7sUip1x0Fxe+ tN+MDD4NqGhBJqzhsDsLLtDlhrAXVjyXyiKWfTxc6tWK9rjcJFCWVK9OFzTuEgAvCUW6 XUZg22Ra21N8oJBKoBZoSiTGZ6fL8J7mdWLWlruUCihv6eEAjGtOooB5+UmYNVXJfUp0 pNUw== X-Received: by 10.112.72.170 with SMTP id e10mr1079900lbv.43.1391424519296; Mon, 03 Feb 2014 02:48:39 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.199.37 with HTTP; Mon, 3 Feb 2014 02:47:59 -0800 (PST) In-Reply-To: References: <52ED7AC8.6080703@sugarcrm.com> <52EDF03C.5080201@sugarcrm.com> <52EE1D2E.8060309@sugarcrm.com> <52EF51FA.4000502@sugarcrm.com> Date: Mon, 3 Feb 2014 19:47:59 +0900 X-Google-Sender-Auth: Rbem0njOYqN6WUzDWMR-oUdn1h4 Message-ID: To: Pierre Joye Cc: PHP internals , Stas Malyshev Content-Type: multipart/alternative; boundary=001a11c24258345b6504f17e449b Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c24258345b6504f17e449b Content-Type: text/plain; charset=UTF-8 On Mon, Feb 3, 2014 at 7:43 PM, Pierre Joye wrote: > On Feb 3, 2014 11:36 AM, "Yasuo Ohgaki" wrote: > > > > Hi Stas, > > > > On Mon, Feb 3, 2014 at 5:23 PM, Stas Malyshev >wrote: > > > > > > I see some users are generating unsafe session ID. Purpose of change > is > > > > not to generate insecure ID when user want some prefix in session ID. > > > > > > What's "insecure session ID" and how it is related to the matter we are > > > discussing? > > > > > > If there is not a easy way to create secure session ID (Currently, we > > don't), > > users may generate session ID by their own which may be insecure. > > That's exactly the point. Sessions have options to make them more secure > (entropy, hash). Maybe the default should be improved. As far as I remember > it is not possible anymore to build php without providing a valid entropy > source. > Yes. Session module requires valid entropy source to generate session ID. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c24258345b6504f17e449b--