Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90938
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19890 invoked from network); 26 Jan 2016 12:18:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Jan 2016 12:18:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.160.170 mail-yk0-f170.google.com  
Received: from [209.85.160.170] ([209.85.160.170:36185] helo=mail-yk0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C8/85-10534-10467A65 for <internals@lists.php.net>; Tue, 26 Jan 2016 07:18:10 -0500
Received: by mail-yk0-f170.google.com with SMTP id v14so196551088ykd.3
        for <internals@lists.php.net>; Tue, 26 Jan 2016 04:18:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=kg+6VuDap2sc6dlvQ6TLWKCPcelhzIwldHaTDCDx64Q=;
        b=Fgt+r4+JyowGVRDgXtmoGnS/FPWQhZNSdldCW90CEZJD15SG6/ge+ooy3IxDlyd8uD
         CHLxwX7ZydIysYeJ4iWzmlFzPPKI2DELKRA99msgOjmsiDy7vXsgz8acCJ9O/Nr0D1h/
         yj+q6WvTABg0uAJGBi3qrmX969AvbPjcVmuIpkXQuUNnzsr5byMbfngb5PjfKHDBApxi
         xtaImfIk3RWAHpXmrmcnIhPwU2ipvJRqxdLMF+b0CEPiYQKwF2d2gNSU8Ui6OgarZWo/
         +Yv5A3dep091Luc6xpStyUiLwJaU/rGj+N5bY53Squ0C4mvwu0Iec7bEFEiNPyZSbLNo
         hi9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type;
        bh=kg+6VuDap2sc6dlvQ6TLWKCPcelhzIwldHaTDCDx64Q=;
        b=UDef24TE9qCkHZZO1z6WvD6AyFHQ0LBugkAZg6WIU0kFCP53A+R4qk40K6/bjPSA7C
         7xMSg5d8BCZkX5GFy6cCXpaS9RSgJ2K8q+OzgbKjPRG3vVjQyG/2c1AnkhmIUtSjgJ4v
         3sARzBZBNA9nXZxvTSWLIL8huCZddiRii9yRWL7+ix+NTW634UIqt/eGVCbeuczOyerf
         bIzHqN7m8WfjTIOArnYSWM8jjSjDjOqWYn7755nVy0OvH9A9wNzy+lAJlUhNDAU59L4t
         6M4K/n2Nqk5m7K7fMBM5JJUh40BlAAiAHxSv+vlm+rk9pgfwkrRTueb2MCF70QvH1hjT
         e9IA==
X-Gm-Message-State: AG10YOTEW4CYz26cohkkrfCih1q4cVicfbmJ0ODnkB7oZ3hX8iyVUsD4Vy3l8g6irlIXnOVH0R49ZF5arXKO6g==
X-Received: by 10.37.42.202 with SMTP id q193mr4610695ybq.10.1453810686719;
 Tue, 26 Jan 2016 04:18:06 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.88.139 with HTTP; Tue, 26 Jan 2016 04:17:27 -0800 (PST)
In-Reply-To: <CAGa2bXYj6iCvKqcpf_p6Dm_TNOxtVozry=AONKWu9-VKzb_FHw@mail.gmail.com>
References: <CAGa2bXbg_kebBVg3tSh4uFHZ6nQXRbjUXNQa0JZx9sezQqb5kg@mail.gmail.com>
 <CAGa2bXYZXkCJwFKVwaNfV+OEw0FzeFFbtxLm0zRmFVE_b4xsMw@mail.gmail.com>
 <CAGa2bXbRJMZFcXfZc9o7YnAhkDRfYKPjO+10k-eKXdoGNTREbg@mail.gmail.com>
 <CAGa2bXYGpV=P-680ig1LOkYWsSRS-Ya2rYVa3wo3vrxdT=zwiw@mail.gmail.com>
 <56A727C3.9070505@gmail.com> <CAGa2bXYj6iCvKqcpf_p6Dm_TNOxtVozry=AONKWu9-VKzb_FHw@mail.gmail.com>
Date: Tue, 26 Jan 2016 21:17:27 +0900
X-Google-Sender-Auth: yd2hNvCe5RiTGVDTEBWXrhG9uzc
Message-ID: <CAGa2bXZ3gFegniSBCtfnnrrotbdCh+MjGufC11nYhd7kH31tuQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC Discussion] Precise Session Management
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Stas,

On Tue, Jan 26, 2016 at 7:28 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> I've already have/will have 3 RFC for session.
> This one, session_id() and user space serialize handler.
> https://github.com/php/php-src/pull/1732
> I would like not to have too many RFCs for session.

I would like to make PHP more secure. Session is only a part of it.

I have
https://wiki.php.net/rfc/dbc2
https://wiki.php.net/rfc/secure_serialization
https://wiki.php.net/rfc/introduce-type-affinity
https://wiki.php.net/rfc/script_only_include
and so on. Even there will new RFCs such as
automatic CSRF protection when this RFC is finished
and URL rewriter bug is fixed.

I also have
https://bugs.php.net/bug.php?id=68599
https://bugs.php.net/bug.php?id=55391
https://bugs.php.net/bug.php?id=68728
https://bugs.php.net/bug.php?id=69791
and so on

Three RFCs for session is just too much for me already...

Anyway, we may be better to talk about how it should be.
For this thread, how session management should be.
It's just not good enough currently. Besides exploiting
PHP session is too easy, random lost sessions is not
acceptable. Weak defaults are not acceptable also. Let's
talk about what's missing still even with this RFC to make
session secure/stable if any.

Better ideas are welcomed. If there is, I'll implement it.
Let's finish mandatory work and move on.

Thanks,

--
Yasuo Ohgaki
yohgaki@ohgaki.net