Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:74127 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 99527 invoked from network); 12 May 2014 08:14:18 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 May 2014 08:14:18 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.50 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.50 mail-la0-f50.google.com Received: from [209.85.215.50] ([209.85.215.50:34570] helo=mail-la0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A3/33-14093-8D280735 for ; Mon, 12 May 2014 04:14:17 -0400 Received: by mail-la0-f50.google.com with SMTP id b8so1623899lan.37 for ; Mon, 12 May 2014 01:14:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=bVOj/DvWT00zX/scyL0W68Td6qafctQY2HSAp5gXwvU=; b=wql2DPzy4ke91UesLN4W9ZpQQj3htzya+65Y2sTuE92h4zDsTKdQu5JuMRb66WbxWu +ZECOM/lsHooPSp4MZPOeBwCaRe31goGy9azipMYkq7/sWRS18GeymWMLHAoCBpP+Zee C4bA1nLoYonAh8phwqW3kcwrkjhyuwPYpDc1OlYaqEgjzAHcEwTGskN4RoW8F0fZdY+7 cXBs0+PELdD+XRkXqj6r/boMaNXMBo4Nz7HdGIJ6mF3+avZY3wWnO8FdoKYIoZFu20wT OhsbeDc+EKYOnHHr4l91avZ0X+AV2PhRSWbuSqWMibQ0bONBN0mHvNIiZqbdgvi+ecZ9 L/1w== X-Received: by 10.112.186.98 with SMTP id fj2mr569122lbc.54.1399882453542; Mon, 12 May 2014 01:14:13 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.205.73 with HTTP; Mon, 12 May 2014 01:13:33 -0700 (PDT) In-Reply-To: References: Date: Mon, 12 May 2014 17:13:33 +0900 X-Google-Sender-Auth: Uul01IhKo1RmQWL0-TB0PV1O0OQ Message-ID: To: Andrey Andreev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a113619425eee0504f92f8843 Subject: Re: [PHP-DEV] [RFC] Secure Session Module Options by Default From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a113619425eee0504f92f8843 Content-Type: text/plain; charset=UTF-8 Hi all, On Fri, Apr 4, 2014 at 6:14 PM, Yasuo Ohgaki wrote: > Sure. > These are simple changes for better session security. > I have to update RFC so that everyone understand side effects of > these changes. > > hash_bits_per_characters may stay the same and additional char to > files save handler could be added simply. > I'll update the RFC weekend, hopefully. > I updated the RFC. Sorry, it took so long. I modified the RFC so that it only proposes INI value changes. i.e. Removed behavior modifications "hash function fall back" and "session ID collision detection in session module rather than save handler". https://wiki.php.net/rfc/secure-session-options-by-default Which version should include these? Any comments? -- Yasuo Ohgaki yohgaki@ohgaki.net --001a113619425eee0504f92f8843--