Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72326
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 38386 invoked from network); 6 Feb 2014 06:26:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Feb 2014 06:26:55 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.45 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.45 mail-la0-f45.google.com  
Received: from [209.85.215.45] ([209.85.215.45:37678] helo=mail-la0-f45.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E2/85-09398-D2B23F25 for <internals@lists.php.net>; Thu, 06 Feb 2014 01:26:54 -0500
Received: by mail-la0-f45.google.com with SMTP id b8so1132419lan.32
        for <internals@lists.php.net>; Wed, 05 Feb 2014 22:26:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:content-type;
        bh=QxacA4/TtcBFgVl5tJA+mvJrHT+v4JZZyMAVSDSpT6w=;
        b=HwmQYXVqLCpESn6dCDi/T01t9uVl6KV2Scnjx/Kr1Es8nkGRbWmtx0MmFKQKhEdIG/
         MnneiBU8LaAliVhqfYkL9BJ3AtLeNJlmq/UrfRWk5HfUSFnBI02Z4zzyaXRbe+wEzVfu
         gJVgptI2b4dkHRCCAPavcOnfdR+/iYDM7Y9yBfycnhX6lELBA+pKMn33G53gyvPx6FgT
         enp9es3oioiqYYYzpR12roCctQ3z3MLgPKPCBJR9sGDzFHXqTTUmOMvQhPpdh3jVluZd
         EsnsB4f4MUX6sDJj0U0614ol1edwkQdOpZcwZ8opQT1Rg1AWg0mtosY5Q0C/3+eHKbXb
         JeLw==
X-Received: by 10.112.91.228 with SMTP id ch4mr3941874lbb.19.1391668011158;
 Wed, 05 Feb 2014 22:26:51 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Wed, 5 Feb 2014 22:26:10 -0800 (PST)
In-Reply-To: <CAGa2bXafasfby-RK8cnd_3mnB-VrxYJCwtnjmZwv+rNO_9U8Qg@mail.gmail.com>
References: <CAGa2bXatpirSgsFhs1bdE72YCk3waPVsgr=M0NsRrwUZ3-5Uzg@mail.gmail.com>
 <CAGa2bXafasfby-RK8cnd_3mnB-VrxYJCwtnjmZwv+rNO_9U8Qg@mail.gmail.com>
Date: Thu, 6 Feb 2014 15:26:10 +0900
X-Google-Sender-Auth: _zyAnNIkAqfdH4_DJXJi8cVwUGA
Message-ID: <CAGa2bXbyfmzYGJ=KKYyyq8xr8mx0D+U7UWpeK+Maw3zZ4JS_0w@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11348aba73619104f1b6f55d
Subject: Re: [RFC] Secure Session Module Options by Default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11348aba73619104f1b6f55d
Content-Type: text/plain; charset=UTF-8

Hi all,

On Thu, Feb 6, 2014 at 3:15 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> On Sun, Feb 2, 2014 at 7:33 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>
>> Secure Session Module Options by Default
>> https://wiki.php.net/rfc/secure-session-options-by-default
>>
>> Session is core of web security. Therefore, default should be
>> as secure as possible by default.
>>
>> I'll open vote next week, please send comments now.
>>
>
> I've added new INI option for security reason. (Timing attack mitigation)
>
> **session_id_length** minimum session ID length to mitigate timing attack.
> 26 for PHP 5.3/5.4/5.5. 52 for 5.6.
>

I need information about PHP distributions.
Does anyone know if there is PHP distributions that provide hash module as
*.(so|dll)?
If there is, I have to change this INI value.

Thank you!

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11348aba73619104f1b6f55d--