Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:84259
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 75485 invoked from network); 3 Mar 2015 18:22:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Mar 2015 18:22:21 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.54 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.54 mail-qa0-f54.google.com  
Received: from [209.85.216.54] ([209.85.216.54:61345] helo=mail-qa0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 44/D3-03783-CDBF5F45 for <internals@lists.php.net>; Tue, 03 Mar 2015 13:22:20 -0500
Received: by mail-qa0-f54.google.com with SMTP id v8so1189740qal.13
        for <internals@lists.php.net>; Tue, 03 Mar 2015 10:22:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=BDkr9tt4edWMaPtm8SmGz3sec/BVyZnfC7dznuEwasM=;
        b=avMd93p/mpdMe1LMjdTx+aqzn3GJvs8imomMVY5acG0x0hbVW3egB0MmdSZ4AtU6+A
         GNTZMi4IV5k/JZ/TAfQJXwFM/o3TKOENTFsEJK9ePJtdS9hfyAfZyTSWRfEp7aU8jjsQ
         E9+cBCqjXPfBY7IeExBYcti4QkoJXVLYpqEK0idtBOuhgyj2czLFfdgAmS9HGPjV4pGy
         Xvb9YyS2vNUKs0/nVqOyov1axL6zfj4v15TOazINhqZENRcnhs3chI3OIdkXX0/zKayM
         eVBmQxn/Thllw0+Nm7gBWYJSpFJ3hInTphcjNNkme4nYp6uxKQzUE8EgJPHUJG8EMHiC
         d8vA==
X-Received: by 10.140.31.116 with SMTP id e107mr375116qge.36.1425406937992;
 Tue, 03 Mar 2015 10:22:17 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Tue, 3 Mar 2015 10:21:37 -0800 (PST)
In-Reply-To: <CAPhkiZw=Lgz=_q=pDCobv3nCG5bwcyqOpTV91W=H+Pb59H2OzA@mail.gmail.com>
References: <CAGa2bXb2qm3Y0S_dVDe+Orh6kbuuQOOgLNc_VwycZCCiSxPZ2w@mail.gmail.com>
 <CAGa2bXaLzn4-Tvss_pT=Sxjk_hi4jF6pxdt-HrEChQiqCVdVvA@mail.gmail.com> <CAPhkiZw=Lgz=_q=pDCobv3nCG5bwcyqOpTV91W=H+Pb59H2OzA@mail.gmail.com>
Date: Wed, 4 Mar 2015 03:21:37 +0900
X-Google-Sender-Auth: joscsmJBeqNzqNUL9bbsxiFj0zY
Message-ID: <CAGa2bXZD3-AP8pTej9W+0XgThXgvJFbh=1UpsjSaPZHoKrg+fw@mail.gmail.com>
To: Andrey Andreev <narf@devilix.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113a95443313570510666a2b
Subject: Re: [PHP-DEV] Re: Bug #69127 session_regenerate_id(true) randomly
 generates a warning and loses session data
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113a95443313570510666a2b
Content-Type: text/plain; charset=UTF-8

Hi Andrey,

On Tue, Mar 3, 2015 at 7:40 PM, Andrey Andreev <narf@devilix.net> wrote:

> Why do you want to change it at all? If you don't want the data to get
> immediately deleted, pass FALSE to the function and let the GC erase
> it later.
>

It's not precise at all. Old session data that must be deleted could exists
as long as it is accessed. i.e. Stolen session could exists as long as
attacker accesses it.

Timestamping is the method. It's the same as I proposed before.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113a95443313570510666a2b--