Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90945 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 65791 invoked from network); 26 Jan 2016 22:15:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Jan 2016 22:15:42 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.182 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.182 mail-yk0-f182.google.com Received: from [209.85.160.182] ([209.85.160.182:33860] helo=mail-yk0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2F/21-56702-D00F7A65 for ; Tue, 26 Jan 2016 17:15:41 -0500 Received: by mail-yk0-f182.google.com with SMTP id a85so218426252ykb.1 for ; Tue, 26 Jan 2016 14:15:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=eMg5X37w0iuYh9tU1AsnLEc3a5DA5pD0aGz2tYuzO1k=; b=SJDFfd9u9UhUrtcez00U0G5mHjAEf/rD+Y5FAFidSfTTT/AixzP0x7+9TghJLmPCa3 /7+xSvZ/1lo94eUreFnGPjXPub/m37VcDGJl4puWT60odNg+zWHmlvVtO1bh5NBuOlC8 tzrMJfN2/voyALgK1uvLWiacDQgLoJgtwPRHefhpudqLO8EbqRHNFMm79rFIk3XuztJI XbQfnwScO1SpOsIPfRl2LjAgZvoq2D4Lur969WlJn6Irp13dHV/p5GNd5zZx3lSt6Rv0 HSxtP+K44UcSIboKqIpWPvlhaOxVC+YfgJNlxdNWqYCgQ/EVSUbtrIl61BJYCwFO4nws 1EXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=eMg5X37w0iuYh9tU1AsnLEc3a5DA5pD0aGz2tYuzO1k=; b=EmA2FD6kBRsXVd8EHcqM5Xf45QdMACaiArhO8b8W8Lf2BAXgIXO/ketDRoHbWq6vIv wwCZPl6S0a3EHjBWXGRYyKvYE1VSuDn/osfUvevEssohl0ZOIJRAEKpwuv8BP0tRjKt3 WzxaEd0Ap26nDuaiPxjzvxxHXGMX2EIiL8hJ670BvffHVuYDwejbZPTwYfoO5F7oRRbH dNsjG1jQ0QI3Sye14HO/+N2lFBm8M+5Uxk4CLhucRWB9S2KZTet8afQl8Fg28oUGqhGp kDKrC9+SLCOQOwV5NxQXpmiDET0YQmhGdRdkp0/n2zOoFkknrNYLvIpMUqIA+TOgeYfa XFkw== X-Gm-Message-State: AG10YOQpk9RLHTDqelZNAMth/1mmyFeKFjbbNlqk8FN7pxuuTXMMKWH12chzbMaBSZCYuvlMdFmJgr/yWrrJoA== X-Received: by 10.129.60.12 with SMTP id j12mr14463920ywa.86.1453846538821; Tue, 26 Jan 2016 14:15:38 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.129.88.139 with HTTP; Tue, 26 Jan 2016 14:14:59 -0800 (PST) In-Reply-To: References: <56A727C3.9070505@gmail.com> Date: Wed, 27 Jan 2016 07:14:59 +0900 X-Google-Sender-Auth: a1obp-QNVaG5x1LMYsEPRyUSehY Message-ID: To: Dan Ackroyd Cc: Stanislav Malyshev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Re: [RFC Discussion] Precise Session Management From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Dan, On Wed, Jan 27, 2016 at 12:05 AM, Dan Ackroyd wrote: >> I'll appreciate if one could find defect if there is. > > The problem is that you're trying to build on a foundation of sand. > The session handling works but is incredibly fragile. > > Or to put it more colloquially this is a "how to get to Dublin > problem". To get to having a more secure and reliable session > handling, we need to start from some where else, not just keep > building on top of the current session handler code. > > The proposed RFC is not a good way to proceed. Having functionality > depend on setting values in an array like this (as far a I've > undertood the RFC): Why depending setting values (timestamp) is not good way. If you know, please let me know how to manage expiration w/o timestamp. > > // Resend new session ID once. This will reduce chance of client > // race and lost session by unstable network to acceptable level. > $_SESSION['__PHP_SESSION__']['NEW_SID_SENT'] = time(); > > is not a sensible way of programming imo. Additionally, changing code > that is apparently very fragile and so breaking people's applications > in subtle ways, is not something we should be doing. I agree that it is difficult for people who don't know PHP session module code. Function dependency and state management may seem like maze. However, once you understand, it's not that hard. It's only a few thousands lines. > >> Anyway, we may be better to talk about how it should be. >> For this thread, how session management should be. >> It's just not good enough currently. > > To me, there are two good ways to proceed: > > i) Develop a new session extension, that doesn't depend on magic > behaviour of globals and leave the current session handler as it is. > The new session extension could be shipped as a 'work in progres' when > it's good enough, before PHP 8. Then when it's stable, we could figure > out how to transition users from the old extension. > > ii) Develop a session handler in userland code only. PHP is powerful > enough to support this. Although obviously there are big benefits to > shipping a session handler with PHP, I don't see any need for it to be > done internally other than we don't currently have a way of shipping > userland code with an extension. I'm hoping that before PHP 8, the > ability to ship PHP code as part of extensions would be in place. > > Either of those two would be feasible. The proposed RFC doesn't appear > feasible to me. > Why? it's already there and it works. You are proposing - Leave random lost session bug - Leave session exploit easy I think we must fix these. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net