Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72647
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20415 invoked from network); 17 Feb 2014 08:11:39 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Feb 2014 08:11:39 -0000
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.216.65 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.216.65 mail-qa0-f65.google.com  
Received: from [209.85.216.65] ([209.85.216.65:35469] helo=mail-qa0-f65.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CE/2A-56374-A34C1035 for <internals@lists.php.net>; Mon, 17 Feb 2014 03:11:39 -0500
Received: by mail-qa0-f65.google.com with SMTP id w5so7266127qac.8
        for <internals@lists.php.net>; Mon, 17 Feb 2014 00:11:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=YTiVza5lA0YSFWH9qW/vzDE/LgW8m7LjRiwjD8bgVpY=;
        b=nkcB//tYpEI4hUx+EJPALymdRq7OUSr1spyFsfBUeWcQh629bmLiERb+6bjNMxfMCq
         yXWZBGCVxWjflTMSU75oH31LrliNTmyrE2rYtTZY409S0HBGnediJUGzjguvCj6C7eQT
         5fS6r3VMlrSU+EiJHw3Hx1Bn/Iy6e0BaFSfdA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=YTiVza5lA0YSFWH9qW/vzDE/LgW8m7LjRiwjD8bgVpY=;
        b=PL9rqo/ycDLCdqrVpR1q5tyhSHrb+BZFBoxb1HXANAv0u2qDdcoaX1KLXHsVMFWO1l
         T5IevBic3ctGdK5W72azhXCtlgD7TZ3HWireENYiXrdDGkI/3wWtRaq7RKBpQPD+e9CF
         F6HBQWyRYEEr6Ck10POpoTdqNnBkCyxUgMk01i8b0lJSKYGzH7Zj6+xTHCGje9CP1IkJ
         c5Q4qK3LcYvtvU+KlO2LHUbaD1e+3XgYD/Lt6MVt9ypIoDgfJD0ZTmfocAjk9Z4MQzop
         smQdqvMXYsP2W7eZscsFUCzgUGqGHIWlmz2ypd60vPAC8N7KKv+XXTGmdaEAp0v/LUQ+
         Yajw==
X-Gm-Message-State: ALoCoQmE6nZzvXjUG2V9TH8WL4x5DwPOXP6Ig6Z4deu3RupybwBLG2GWI3geT55r7vI3vMZQvmJz
MIME-Version: 1.0
X-Received: by 10.224.24.67 with SMTP id u3mr33108888qab.10.1392624695571;
 Mon, 17 Feb 2014 00:11:35 -0800 (PST)
Received: by 10.96.90.6 with HTTP; Mon, 17 Feb 2014 00:11:35 -0800 (PST)
Date: Mon, 17 Feb 2014 10:11:35 +0200
Message-ID: <CAPhkiZxqmUVR3MhdMUBUuKxxkXndoTdoffbfuQ0oGc5JMvQ8dg@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [VOTE] Secure Session Module Options/Internal by Default
From: narf@devilix.net (Andrey Andreev)

Hey,

I didn't want to interrupt a vote, but this 'id_length' setting was
not initially a part of the RFC and it's just now that I see it.

I don't see how it relates to timing attacks.
If it is about comparing at least N characters of the session ID
before rejecting one, then why not just compare all of them? ID length
is public information, anybody can see what it is by simply looking at
what the application gives them.
And finally, the setting name itself is misleading - it doesn't make
it clear that it's about minimum length.

Cheers,
Andrey.