Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90950 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 76788 invoked from network); 27 Jan 2016 00:16:12 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jan 2016 00:16:12 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.181 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.181 mail-pf0-f181.google.com Received: from [209.85.192.181] ([209.85.192.181:35873] helo=mail-pf0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 69/03-56702-C4C08A65 for ; Tue, 26 Jan 2016 19:16:12 -0500 Received: by mail-pf0-f181.google.com with SMTP id n128so107157180pfn.3 for ; Tue, 26 Jan 2016 16:16:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=gQAJFAVrh9l2LCSa/HINBMcyV/tnZ53s9nRIWBGznuI=; b=vodNY9oW99/AtcHuuSRPW5B0Q+u/P8fmwPxC3T5TVGJtIS4YLYuwtOL+sATjJb9b81 wntY2/R4X90Ir7CtNdqXeAJQw1xW1OGD5CCRJMbunWfKnsbe6Le1A1sZ7UcfStRUFtm4 1x5joPi6a64v2d8xR492oOsgQX1PNSgy+22fQt3QNeleXzJMnMMqrib5rXAJAJ4C416v FcA4zu11l56nBIN50JUhNwVvQinzDnBlySyZ9CCdxBwNK7aVBkKuqKjG2LghVo/bNHVk 1MbBPcwQfzRtppkTNIgiDorh1TGn7bUePWcJ9UWIe7XErTHvF0UHjB32AX9pEz+7gJUR bJNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=gQAJFAVrh9l2LCSa/HINBMcyV/tnZ53s9nRIWBGznuI=; b=Cyfj07b1fZtDIL4XfmsMcaPgvfN9mXfhYWc8NWW3gWhiVcAapMn21BCHVIDqKD3naV TifWIWHz1E8ueargGz6ywporZHUkBju/+ADLGdBNE2C/rla3X3/eeYQ9g7NW8neoNSId mXuoOijWEO4Yk+8776Hcx6pVKVnlL33UscUK+iNyW7SRt/MkiX33ZCzEEV7OE+0f2tBK SgfsYaeZ8RFaYJXoasfIBe6PfG8IclHKAelmfMv/1I+bLH9YVOlDkMtzRWLFLJ2wYb61 n/RFntJgsdYT+r3T2v7qp/LFJaeku37bSGvfq/Lrfgh0MUygREthOczcvDuS8TEpc6vD SD6A== X-Gm-Message-State: AG10YOQtorqhqMMTALRVt6BzuDykk52nktMWn+IOpmX8vjtZevDSWcQIn4X9Nz0acMpSBg== X-Received: by 10.98.31.84 with SMTP id f81mr38111293pff.98.1453853769629; Tue, 26 Jan 2016 16:16:09 -0800 (PST) Received: from Stas-Air.local (76-220-46-95.lightspeed.sntcca.sbcglobal.net. [76.220.46.95]) by smtp.gmail.com with ESMTPSA id ss5sm4312888pab.15.2016.01.26.16.16.08 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 26 Jan 2016 16:16:08 -0800 (PST) To: Yasuo Ohgaki References: <56A72B36.5060307@gmail.com> Cc: "internals@lists.php.net" X-Enigmail-Draft-Status: N1110 Message-ID: <56A80C47.1020001@gmail.com> Date: Tue, 26 Jan 2016 16:16:07 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC Discussion] Precise Session Management From: smalyshev@gmail.com (Stanislav Malyshev) Hi! >> About, since session_id() is a user function, what do we gain by >> limiting what it does? > > Prefix is a part of session ID and it should have the same requirement > as session ID for security reasons. I'm not sure why you're talking about prefix. I thought that the issue was that user can supply session_id() with the ID that is not good for some reason and you want to filter it on session_id level. Am I wrong? > There is SessionHandler::create_sid(), but there isn't a function that > creates secure session ID. Why not? The ID created now is not secure? Why? I see it uses php_session_create_id(), do you mean this function is insecure too? Why? In any case, if you think it is insecure, why not fix it? -- Stas Malyshev smalyshev@gmail.com