Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73321 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56011 invoked from network); 20 Mar 2014 04:02:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Mar 2014 04:02:44 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.176 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.216.176 mail-qc0-f176.google.com Received: from [209.85.216.176] ([209.85.216.176:56532] helo=mail-qc0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 45/64-33112-3686A235 for ; Wed, 19 Mar 2014 23:02:43 -0500 Received: by mail-qc0-f176.google.com with SMTP id m20so312783qcx.7 for ; Wed, 19 Mar 2014 21:02:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fFpnZGox+TVjrRZzb3y8IQJgthRB6jMCG0ir365WJn8=; b=RwdhaOHKeeDRCmaOj1MKYMdJaJkSC1o1+y2VnCtQePUZvq/Q281FHfmglVOeGp/OQD WaCBMedcAW0wfSjtSOg109Qg6WBCFV9OxXHOvNxeZFZIiwNpCAtPYCeEVVp3MrQqLU0E bIGnLUUVcZb8gdu7cA+KQgx3LUR434YKDWriJF3sJjGvhS/krl7wAlG4Hx73owGe6BAf B6jDigbZ8AA1PcqeojB1TwNPduoIFTDbLOJTjTUuBdD3PLEWDsKQUa7zFTVCaQGvqbBb RR80ZyrUlfBX6g4ZYDsvaAGCW/UFHEvkUsGjsK1qKb/9wpiDOizVeGm1TpWeg2bshSHY sqiA== MIME-Version: 1.0 X-Received: by 10.224.21.207 with SMTP id k15mr47977675qab.66.1395288160840; Wed, 19 Mar 2014 21:02:40 -0700 (PDT) Received: by 10.140.49.14 with HTTP; Wed, 19 Mar 2014 21:02:40 -0700 (PDT) In-Reply-To: References: <5329E37C.5000106@sugarcrm.com> <532A43C5.309@sugarcrm.com> Date: Thu, 20 Mar 2014 05:02:40 +0100 Message-ID: To: Yasuo Ohgaki Cc: Stas Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC] [Discussion] Secure session_regenerate_id() From: pierre.php@gmail.com (Pierre Joye) hi Yasuo, I really appreciate your constant effort to improve security and php in general. In the case of the session management I am not sure I can vote positively on the current RFC(s). On Thu, Mar 20, 2014 at 4:07 AM, Yasuo Ohgaki wrote: > Hi Stas, > > On Thu, Mar 20, 2014 at 10:26 AM, Stas Malyshev wrote: > >> > I'm recognizing reliability/availability as a part of security. >> > ISO 27000 defines it's a part of security. >> >> Let's not parse semantics here. Declaring something that is not security >> issue - i.e. would not lead to unauthorized access, data disclosure, >> etc. - as security issue only makes real security issues drown in the >> noise and not get proper priority. And mislead people into thinking that >> existing ways - which are fine - are somehow insecure and make them not >> use them. >> > > I'm OK with different name. > Lines between security issue or not is vague. I agree with Stas here. I have been asking for past CVEs related to the possible issues you described here, I did not find any and sadly did not get any information which could change my mind. Most of what is described here should be covered by the application layer as it really depends on what developers need. Per se, the current session module is safe. It may not cover all edges cases but this is why we have the necessary API to allow developers to add behaviors, as desired (not necessary required, which is the point I agree with Stas here). Cheers, -- Pierre @pierrejoye | http://www.libgd.org