Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73296
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 66374 invoked from network); 19 Mar 2014 07:13:38 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Mar 2014 07:13:38 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.180 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.180 mail-lb0-f180.google.com  
Received: from [209.85.217.180] ([209.85.217.180:51783] helo=mail-lb0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 12/C0-58554-0A349235 for <internals@lists.php.net>; Wed, 19 Mar 2014 02:13:37 -0500
Received: by mail-lb0-f180.google.com with SMTP id 10so5635664lbg.11
        for <internals@lists.php.net>; Wed, 19 Mar 2014 00:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:message-id:subject:to:content-type;
        bh=BxLNOj19ySFvQs0+ClAhnN1qoSohAWJQGrUuiGANfI0=;
        b=yBqrq7XWs5aNtHVtVenQfrVzuABU5fcM/l7sZsrJrtDmx22F0C9FOr5S6ttjzoFQcB
         QTjoaCJBQYdvHMeI4i/GbrJQdg19xWUlF55Iwi5NSGO5nRZ6gHvxzFRGPIGpg95xi9dP
         9FE0cF9GtqtiSdnJWmc7BCK4nHjBJuuWlyA9HGOLN8lOgd3O0ufiY2i1dZSq+LLxV6Zg
         FroZs8v+LmWSjJxbtiFAtNu8lwShDKze8dvfgOjAUjl+UHeC4aAMiCZEjaseuPjxllrI
         83xitp2qckDfRURUw0GQZMLVB9pZ73fw768fS3TlVLS8lzoAgNzN2gotYqZT7CB/6QPH
         ZdVw==
X-Received: by 10.152.115.178 with SMTP id jp18mr24438948lab.23.1395213214229;
 Wed, 19 Mar 2014 00:13:34 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.205.73 with HTTP; Wed, 19 Mar 2014 00:12:54 -0700 (PDT)
Date: Wed, 19 Mar 2014 16:12:54 +0900
X-Google-Sender-Auth: tuuutkAYw7IE05DnahguW9uRmhA
Message-ID: <CAGa2bXYJqGqegGy=rYcDBXd8RmFFR9j=p2m63ZVSADoga+vwhg@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11c3474c052b8604f4f064ee
Subject: [RFC] [Discussion] Secure session_regenerate_id()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11c3474c052b8604f4f064ee
Content-Type: text/plain; charset=UTF-8

HI all,

I think most of concerns for session_regenerate_id() is discussed.
I would like to finish this RFC.

Following RFC was made to change session_regenerate_id(TRUE) by default.
I was initially tried to remove old session data immediately with this RFC,
but
it turned out we should care about reliability more in real world
environment.

Secure session_regenerate_id()
https://wiki.php.net/rfc/session_regenerate_id

The time stamp could be outside of of $_SESSION. It requires BC
modification in
serializer and/or save handler. It would be complex and possibly slower
depend
on implementation.

I hope it's precise enough and easy to understand idea behind it.
If you have suggestions, it would be appreciated.
Names can be anything, especially.

If I'm missing something, please let me know.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11c3474c052b8604f4f064ee--