Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72682
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70051 invoked from network); 18 Feb 2014 11:58:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Feb 2014 11:58:08 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.50 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.50 mail-la0-f50.google.com  
Received: from [209.85.215.50] ([209.85.215.50:42339] helo=mail-la0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 58/C0-65468-FCA43035 for <internals@lists.php.net>; Tue, 18 Feb 2014 06:58:07 -0500
Received: by mail-la0-f50.google.com with SMTP id ec20so12032748lab.37
        for <internals@lists.php.net>; Tue, 18 Feb 2014 03:58:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=4MRTzG27p8iBlrxmibch4qGyls09bsSD+I/oJ890hTU=;
        b=LY8q+NlcuseMY0VkO2WirLO7PaoK23cNcF6+ReLo53kkpHwrf0pI1zY1evbgI6+PUU
         IgEjzVY/yd5mYbc5mblT+tUcwkDlBbCvJlJKAKwvnvoxr63LXag/SmnyMLqU3zxIRD3r
         /BQZagkW98sDax5yFXs87Cn9o/BZLwe4YNWJV/zB/olW8NuSQ0YOw0PM2OUpggAEEiOx
         zWJCsR6JidCSZTYWfyBeUVMZQMVP48Q3i3tCD2d+aJoedyJZKMxwpQqybL+CuG33LkGD
         S2mi2Ms2rJiOBbIksfT8qj7WvD/0XLNgcV4HYWtE+FbEYnSBD3RwbT7px75FEI4MjeXR
         8qTg==
X-Received: by 10.112.55.65 with SMTP id q1mr20467284lbp.11.1392724683894;
 Tue, 18 Feb 2014 03:58:03 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.199.37 with HTTP; Tue, 18 Feb 2014 03:57:23 -0800 (PST)
In-Reply-To: <2cb7cac279b9740f6ae011da15088ac9@mail.gmail.com>
References: <CAGa2bXbNU-8HbbRrT5v33NWJPuQKSqxQa7HYDnKdrX07qfndBw@mail.gmail.com>
 <2cb7cac279b9740f6ae011da15088ac9@mail.gmail.com>
Date: Tue, 18 Feb 2014 20:57:23 +0900
X-Google-Sender-Auth: o_ptxWJr0xHXkrAQR1NNeJI9QrI
Message-ID: <CAGa2bXZ22arMOG9kZN1rh9bH_CRacJWKNRrsSQkpqCsypc1tdQ@mail.gmail.com>
To: Zeev Suraski <zeev@zend.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3ee8e0db5c004f2acfc38
Subject: Re: [PHP-DEV] [VOTE] Secure Session Module Options/Internal by Default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3ee8e0db5c004f2acfc38
Content-Type: text/plain; charset=UTF-8

Hi Zeev,

On Tue, Feb 18, 2014 at 8:46 PM, Zeev Suraski <zeev@zend.com> wrote:

> This was previously discussed but I have to agree with Andrey (and maybe
> even go beyond what he said) - the hash_bits change doesn't belong in this
> RFC.  First, it has no security implications and it's not entirely clear
> from the RFC.  Second, I don't feel that the implications of that change
> are
> clear, beyond some mention that "this could not be an issue for almost all
> apps", which personally I don't think is accurate - but either way, we need
> some better analysis here.
>
> From my point of view I don't think a few extra characters per session
> going
> over the wire are worth the potential obscure BC break changing the default
> here will cause with certain session backends and/or apps, and we shouldn't
> include this change in this RFC.  If we want to compact the session id's,
> proposing a change for this default can be done in a separate RFC that
> discusses the pros and cons of doing it, independent of security.
>

I agree. This would be removed. This means vote is closed and reopened
again.

I'm not sure why compiled and php.ini-* default differs now, but it's
irrelevant issue here anyway.

Another thing that I think this RFC is missing is some clearer explanation
> on what kind of apps *don't* work with the proposed changes (most notably
> use_strict_mode=on and cookie_httponly).  Even though my gut is that these
> two proposed changes are good - the RFC should include explanations of the
> code patterns and/or types of apps and/or modules that will be affected by
> this;  "Most apps should not be affected" isn't enough in an RFC IMHO.
>

I'll add explanations and possible side effects. I think of few.


>  Last - the voting period should be at least a week, right now it's 5 (or
> maybe 6, depending on your POV) days.
>

This is mistake. My apologies.

Thank you for your comment.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c3ee8e0db5c004f2acfc38--