Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72078
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46238 invoked from network); 3 Feb 2014 11:00:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2014 11:00:05 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.204 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.204 mail4.serversure.net Linux 2.6
Received: from [217.147.176.204] ([217.147.176.204:44738] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 57/02-35654-0B67FE25 for <internals@lists.php.net>; Mon, 03 Feb 2014 06:00:03 -0500
Received: (qmail 27776 invoked by uid 89); 3 Feb 2014 10:59:35 -0000
Received: by simscan 1.3.1 ppid: 27722, pid: 27742, t: 4.8406s
         scanners: attach: 1.3.1 clamav: 0.96/m:52
Received: from unknown (HELO linux-dev4.lsces.org.uk) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 3 Feb 2014 10:59:30 -0000
Message-ID: <52EF7731.3060104@lsces.co.uk>
Date: Mon, 03 Feb 2014 11:02:09 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23
MIME-Version: 1.0
To: internals@lists.php.net
References: <CAGa2bXatpirSgsFhs1bdE72YCk3waPVsgr=M0NsRrwUZ3-5Uzg@mail.gmail.com> <52ED7AC8.6080703@sugarcrm.com> <CAGa2bXadBuhW73HP8y3ZDriStKQwOj8Ao+qe7BFFYOgY2C40_w@mail.gmail.com> <52EDF03C.5080201@sugarcrm.com> <CAGa2bXaviYguq9bAhHwAti0eOzdrUua9p_jVxZLZcLJ19CV1jQ@mail.gmail.com> <52EE1D2E.8060309@sugarcrm.com> <CAGa2bXaaGW5eQd_RgSQ4KQGUrkJmHHOgtwjxEYGVvps-wCYndw@mail.gmail.com> <52EF51FA.4000502@sugarcrm.com> <CAGa2bXZeC+DX7aGCZx+YerMndsx-7MxxCip6kjfg9aSNUotiyA@mail.gmail.com>
In-Reply-To: <CAGa2bXZeC+DX7aGCZx+YerMndsx-7MxxCip6kjfg9aSNUotiyA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default
From: lester@lsces.co.uk (Lester Caine)

Yasuo Ohgaki wrote:
>>> I see some users are generating unsafe session ID. Purpose of change is
>>> > >not to generate insecure ID when user want some prefix in session ID.
>> >
>> >What's "insecure session ID" and how it is related to the matter we are
>> >discussing?
>
> If there is not a easy way to create secure session ID (Currently, we
> don't), users may generate session ID by their own which may be insecure.

Simple question ... does it actually matter?
If a session id is simply used for navigating a visit to a site then as long as 
it works it's fine? If *I* am working with a secure site then I have another 
level of security via a VPN connection. As an intermediate for secure financial 
transactions, it's the service providers who dictate the security used?
Again we seem to be targeting things which are under rules which may be dictated 
by third party requirements, and third party tools such as ssh?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk