Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72288 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64430 invoked from network); 5 Feb 2014 20:00:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Feb 2014 20:00:57 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.213.50 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.213.50 mail-yh0-f50.google.com Received: from [209.85.213.50] ([209.85.213.50:44993] helo=mail-yh0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C6/E4-38005-77892F25 for ; Wed, 05 Feb 2014 15:00:56 -0500 Received: by mail-yh0-f50.google.com with SMTP id 29so982948yhl.23 for ; Wed, 05 Feb 2014 12:00:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nKI6GFI45I3KYQCK/BqDlo45TFPxkiQPzrYyUi1oPzg=; b=vE44o+OWDVDPjPnSNPHOVwyyhUyon8CJD+fkK2f1ea90/h5WFi6cyKFHF7d2rH4nsJ Ft4hDIvyVvRoRounHLs/OH5kIQvT2LHVhjIYezmscKc7Tw89/91IMQ8SyZEbq6aftTGg WjrImXynkE844Z/RjOeqtUG0gBwCexY26iVOQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=nKI6GFI45I3KYQCK/BqDlo45TFPxkiQPzrYyUi1oPzg=; b=CY8ul9Pqf0cQPY/lB44yUIlJwDgHhm2ayCqIPhTtQwfNl4ZrCWkOKVOWnjd6MIgivf clYsHEU2MfGpZ2vVIya+4JNUxTLvQ628IRSdwXhmsjC2dw3wNtS4J1ghiadi8Rs5zRpO cqFsLJbyU0eMIoKkxxXjOR7iuatgMGUiBIgPhmdidqntxR9xovlfiTreilHrARhJegDf oTpgySH50QwLKhNIGEFhcnoc14DaI4aGIOxRarZ2N7x+0S6ySLSGTj+ERU/Ow+EnfnD2 ib1JBnsvQBo4xiajSnLVtJMQ6re4VOwrI5nLop9sKlO7z5cm9HgzUiMQkyOQGRLNzJkg Hvww== X-Gm-Message-State: ALoCoQkVg6hLGdKtf9BwIRFWgbbw/40t7LetlAmgyjlmXA5WF6kAzGzAODw/4kc7U38Au3701t/U MIME-Version: 1.0 X-Received: by 10.236.114.71 with SMTP id b47mr3158753yhh.42.1391630452570; Wed, 05 Feb 2014 12:00:52 -0800 (PST) Received: by 10.170.144.85 with HTTP; Wed, 5 Feb 2014 12:00:52 -0800 (PST) In-Reply-To: References: Date: Wed, 5 Feb 2014 22:00:52 +0200 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default From: narf@devilix.net (Andrey Andreev) Hi again, >> I am not referring to an old RFC, I'm saying this parameter is pointless. >> What difference does it make at all? How does session_id() work with >> and without it? > > > Original proposal was > > session_id('SOME_USEFUL_PREFIX' . session_create_id()); > > and allow to set ID. New one should be > > bool session_id(string $new_id_or_prefix [, bool $use_prefix=FALSE]); > > (I thought I've updated the signature. It was old...) > It supposed to used like > > session_id('PREFIX_', TRUE) // retunrs PREFIX_SECURE-SID > > New API would not allow insecure session ID when use_strict_mode=on while > allowing user defined prefix for session ID. You're not getting what I mean at all. use_strict_mode should only validate cookie input, that's what it is meant for: >> I'm not ignoring anything, I'm just saying this should be in a separate >> RFC. >> > > I have too many RFCs already... > I would like to reduce number of RFCs. Would you like it if people vote 'No' on this RFC because they like the setting changes, but not the proposed session_id() parameter? That's how I would vote if I could. :) >> See my previous comment above. >> You didn't chose a wrong name, you seem to have done a 2-in-1 RFC and >> that's not the right approach IMO. At the very least - it's obviously >> confusing and most of what you've said in this conversation isn't >> described in the RFC at all. > > > To me, it's the same objective that make session usage as secure as > possible. > I don't see reason to make 2 patches/RFC for making session module secure. > Perhaps, better title would be > > "Make session options/API as secure as possible" > > Regarding "_" addition to files save handler, it may not be RFC issue as it > does not break anything at all. Just an simple addition of safe char that > is needed for new safe prefixed session ID with hash bits=6. It may apply > even prefixed session. I think there are many changes like this w/o RFC. > > I tried to write RFC to be minimum and sufficient. I should add more > description > if it is not. Or add link of this thread. I think it's preferred way. Changing default settings in the proposed way makes ext/session more secure by default. Adding a new parameter to session_id() only gives users an easier way to do complete a task that they otherwise *could* do the wrong way. The first has real, straight-forward impact on security and doesn't change existing functionality. The second only *might* lead to some userland code being more secure and it is questionable if that's the proper tool for the job. I for one would like more tools that allow me to change a session's behavior, but a prefix is not one of them. It's not the same thing, not even the same category. On the '_' character: Any character passed to session_id() should be allowed, depending on hash_bits_per_character and just for the underscore doesn't sound good to me. Cheers, Andrey.