Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73232
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 57145 invoked from network); 17 Mar 2014 21:09:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Mar 2014 21:09:55 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.43 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.43 mail-la0-f43.google.com  
Received: from [209.85.215.43] ([209.85.215.43:58604] helo=mail-la0-f43.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9A/6E-17561-1A467235 for <internals@lists.php.net>; Mon, 17 Mar 2014 16:09:54 -0500
Received: by mail-la0-f43.google.com with SMTP id e16so4114461lan.16
        for <internals@lists.php.net>; Mon, 17 Mar 2014 14:09:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=9dudphOUlIWnQZLbzWV/2wy90TdnH5GZl8YRRg2Mge4=;
        b=p4K2N7BBJbAY/0lq1Sf0vTbCZXT83R2IqJLVOL4K7Yq7piVm2Ea2cdH7rSg+N5wINz
         9Glmf2ui1F1zZWlKyeYzDV6GsT+mP4DY10KtLNP2qtYOHpRgbNtZ0cf2xHIWnCOhtcJN
         S3KQjfomRkmVS0DgaACGidw/xPcSRACjtUbj4CpzeukyFHWiNZ5E+YBnIwIsNx5h7Kpk
         fC8v9Z9holD6fyMfd/MybdjxTyvT9xTvkAKbBIF4LtWA3k0DfdhkxjWoOKSlUCthPXrZ
         5gBbglrBZyXZg2UG1riHASUGOa4j0RWanp1h1KwqzQ9WyussEay5AmR3HHg/IywVO517
         4yzA==
X-Received: by 10.152.42.144 with SMTP id o16mr18542501lal.9.1395090590661;
 Mon, 17 Mar 2014 14:09:50 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.205.73 with HTTP; Mon, 17 Mar 2014 14:09:10 -0700 (PDT)
In-Reply-To: <CAPhkiZzRZSRH3LWQqL=mik1KJ8i=19QNatFPoK7TXZMru5SKZA@mail.gmail.com>
References: <CAPhkiZzAxQnQpWOh7xhAM4h3r7xCYjD_P3d9mWmDX4Sr0Qc9Ng@mail.gmail.com>
 <CAGa2bXZHYJzcV2E-SDN7-u1_SLrW8Tr7hwkQG5JSnD-7oh-Xvg@mail.gmail.com> <CAPhkiZzRZSRH3LWQqL=mik1KJ8i=19QNatFPoK7TXZMru5SKZA@mail.gmail.com>
Date: Tue, 18 Mar 2014 06:09:10 +0900
X-Google-Sender-Auth: InF8D6WJ6Fdq1shyfEwiIOOEpZg
Message-ID: <CAGa2bXaGRk0PipbF_DYSgcPNwLvs=8nb8yHG9XFawrNFUVmdyQ@mail.gmail.com>
To: Andrey Andreev <narf@devilix.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c33ef21601d704f4d3d709
Subject: Re: [PHP-DEV] Session: deprecating create_sid() method and add createSid()?
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c33ef21601d704f4d3d709
Content-Type: text/plain; charset=UTF-8

Hi Andrey,

On Mon, Mar 17, 2014 at 8:10 PM, Andrey Andreev <narf@devilix.net> wrote:

> On Mon, Mar 17, 2014 at 12:51 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> > Hi Andrey,
> >
> > On Mon, Mar 17, 2014 at 7:23 PM, Andrey Andreev <narf@devilix.net>
> wrote:
> >>
> >> There's no SessionHandler::create_sid() or
> >> SessionHandlerInterface::create_sid() documented (see your own link to
> >> the docs) ... since when is this available?
> >>
> >> I'm not sure if exposing it is a good idea anyway, why is it necessary?
> >
> >
> > This change is not mine. It was added about 10 years ago, IIRC.
>
> And for 10 years is has not been documented? Really, are you sure that
> it is exposed to userland at all?
>

It may be, but chances are rare. I suppose.
Nobody is using it actually. This would be the reason why it is not
documented
for a long time.

> Having createSid() could be useful. For example, user may have certain
> > prefix for session
> > IDs. User ID prefix is especially useful to know how many active sessions
> > are there.
> > (Note: I advise to use MD5('user_id'.'random_secret') for user ID
> prefixing
> > if user_id
> >  shouldn't be exposed.)
>
> Surely that prefix can just be prepended to the $session_id that gets
> passed to read(), write(), destroy() methods. This argument was given
> to me when I proposed a session.match_ip feature. Why not add this as
> an option to session_start()? Example:
>
> session_start(['id_prefix' => 'foo_']);
>
> (could be an ini setting, for optimization purposes)
>

It could be easier with save handler. Users may register handler like

function session_create_sid( args here ) {
  if (!empty($_SESSION['user_id'])) {
     return create_session_id(md5($_SESSION['user_id']));
  } else {
     return create_session_id();
  }
}

then they may call

session_regenerate_id()

to get prefixed session ID.


>
> > I've added session_create_id(). Therefore, if user start using it, it
> does
> > not hart much.
> > If users do not need modified session ID, they may call
> session_create_id()
> > simply.
>
> Again with the "I've added this", that I opposed previously for
> session_serializer_name(), session_gc() ... What's session_create_id()
> useful for? How would you utilize it?
>

You are asking to write RFC for all additions for _new_ release.

I think session_gc() is must have API. IMHO.
Periodic GC is better than probability based GC even with expire timestamp
(I mean
time stamp for session manager, not save handlers)


>
> > The reason why this is added is Stefan Esser's strict session patch had
> > this, I guess.
> > However, his patch was not fully merged and session remained weak until
> > 'use_strice_mode'
> > patch.
>
> Now I'm confused ... is it added to the core, or just supported as a
> part of the suhosin extension and/or hardening patch?


Stefan proposed strict session patch and it wasn't merged fully. That's all.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c33ef21601d704f4d3d709--