Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:89021
Return-Path: <leight@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 9430 invoked from network); 30 Oct 2015 19:48:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 Oct 2015 19:48:46 -0000
Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.171 as permitted sender)
X-PHP-List-Original-Sender: leight@gmail.com
X-Host-Fingerprint: 209.85.212.171 mail-wi0-f171.google.com  
Received: from [209.85.212.171] ([209.85.212.171:35999] helo=mail-wi0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 45/20-07659-E99C3365 for <internals@lists.php.net>; Fri, 30 Oct 2015 14:48:46 -0500
Received: by wicfx6 with SMTP id fx6so17206015wic.1
        for <internals@lists.php.net>; Fri, 30 Oct 2015 12:48:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:from:date:message-id:subject:to:content-type;
        bh=9KZWhpwoMAYyLpiZhBxdryqL7QRbyElW1Vusl4LxJ8E=;
        b=uEDgbqXLB7YHiZ+NmPIN2OWor/kuYDi2TTaS4u70fGxF7ScqKvODdZRk04Q8kju9ji
         4ynOJ1pJ6H62XTXv9Goajpk0ijiQRlm4GEOuNAsH0eYyfvlUdIZXhO/v6M652IxtyGZb
         awoOBQ5C5Jd7aS7Z4GKZPN7bhqzCxjYKa48/UekUv+31ieVHMX7j5qWKkbyhvyhWgVIm
         iZAt8aNA59ZFguA37eQFVd0MRVpOvXfcPRij9rlTqZ7zsxPsjXfuUhzxMx78ezsLdcwI
         mCUkLjpoX2cV7QQr8xfIrQu+34AJXBl1xO1sPKTHlg9zYjP3O8mk6+v7InpYpDOZKQtm
         hJqA==
X-Received: by 10.194.143.43 with SMTP id sb11mr11716538wjb.120.1446234523366;
 Fri, 30 Oct 2015 12:48:43 -0700 (PDT)
MIME-Version: 1.0
Date: Fri, 30 Oct 2015 19:48:33 +0000
Message-ID: <CAPwsocFbM1wYzNni_M02Vd4m4giVeH36RH8uhWfC-uk_uaSqNw@mail.gmail.com>
To: internals@lists.php.net
Content-Type: multipart/alternative; boundary=089e0112c50c06fc43052357b7b6
Subject: Make sessions use php_random_bytes in 7.1
From: leight@gmail.com (Leigh)

--089e0112c50c06fc43052357b7b6
Content-Type: text/plain; charset=UTF-8

Hi all,

I would like to refactor session id generation to use our new
php_random_bytes API as the single entropy source for session ids,
targeting 7.1

Overall this would give a small performance increase to session generation,
a large security increase to session generation, and remove some points of
possible user error.

There are a few things to consider while doing this:

session.entropy_file will no longer needed, as the best source of random
for the operating system will be selected.

session.entropy_length should be ignored, as this was to specify the length
of *additional* entropy, and may be non-zero in legacy configuration files,
that are preserved across upgrades

session.hash_function should be deprecated, there is no benefit to hashing
cryptographically strong random bytes, however people may be relying on
this to get session ids of a certain length.

We will have to introduce a new setting to control session id length,
perhaps overridden if session.hash_function is non-default. We have a year
to play with the details.

I'd like to hear if there are any strong objections to this proposal.

Cheers,

Leigh.

--089e0112c50c06fc43052357b7b6--