Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81215
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37412 invoked from network); 27 Jan 2015 09:44:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jan 2015 09:44:53 -0000
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.182 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.212.182 mail-wi0-f182.google.com  
Received: from [209.85.212.182] ([209.85.212.182:63304] helo=mail-wi0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BA/E3-18778-21E57C45 for <internals@lists.php.net>; Tue, 27 Jan 2015 04:44:51 -0500
Received: by mail-wi0-f182.google.com with SMTP id n3so3646584wiv.3
        for <internals@lists.php.net>; Tue, 27 Jan 2015 01:44:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=ypMBobptz5WBWboiCkYOr3I4PLeyF7ZN8NuPhZ0nEZg=;
        b=rRXFvZXU0Cl0BPd48MszLTHU+YWGFNEdXwhyLgkdXE3PTFbhau2o8T4spot6fIucIv
         f0Uq/mnW6YVtzs50Iti47wJjpThBTECPZf5+82riXm+MUb1t+2X9ag2zQqxyw/LQxxzN
         8B3BsyazIPoTo0ozhROVgwVr/F2PbrRuFJZ9p/KlQb/vSVEH9VbKyD2B69ufajqa6Y9C
         JGfZ8ZpLbutfd38Pmn/tCpN27vhrcFgqAqIxyuPfWuhP+K3SwQcSL5VEplFa6jVHGAqc
         8Tsi6U3M8PcUWB9oEz15k0f003xy+aHBxcL6Te5Hu5Fw22dlweWjw2+Uh1zI71E/xlPS
         5Qqw==
MIME-Version: 1.0
X-Received: by 10.194.88.131 with SMTP id bg3mr539312wjb.99.1422351887410;
 Tue, 27 Jan 2015 01:44:47 -0800 (PST)
Received: by 10.180.88.33 with HTTP; Tue, 27 Jan 2015 01:44:47 -0800 (PST)
In-Reply-To: <CAGa2bXY3uaxkmuvYfOaM_Lnb=bHoqfXNFXOJqJJyNARAHv2G-g@mail.gmail.com>
References: <CAGa2bXbDV7wPwgvkGX5uhOS7B84YLUZ7Y--xZjd_pEQZroPKSg@mail.gmail.com>
	<CAGa2bXY3uaxkmuvYfOaM_Lnb=bHoqfXNFXOJqJJyNARAHv2G-g@mail.gmail.com>
Date: Tue, 27 Jan 2015 10:44:47 +0100
Message-ID: <CAH-PCH5oFVU1Ns4Sj6djmMesGEKM6oNjjyzOWDfkuhUeOQMMUw@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e010d849efeaf16050d9f1a82
Subject: Re: [PHP-DEV] Re: Discussion for RFC: Set appropriate/better defaults.
From: tyra3l@gmail.com (Ferenc Kovacs)

--089e010d849efeaf16050d9f1a82
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 27, 2015 at 3:35 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi all,
>
> On Tue, Jan 27, 2015 at 11:06 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote=
:
>
> >  - session.hash_function=3D1 : Use SHA1 rather than MD5
>
>
> I realized that we should remove hashing for better performance.
>
> Since session ID is generated from crypt secure RNG (/dev/urandom by
> default),
> simply converting the data into text is enough. Hashing is _slow_.
>
> Any comments?
>

on the contrary, both sha1 and md5 is super fast, so I don't think that is
a good argument.
and if you remove the hashing there will be no known length for the session
id, and sooner or later people will screw themselves when bumping into some
limit or getting their session id truncated (be that a cookie max length or
a db field).

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--089e010d849efeaf16050d9f1a82--