Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90954
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85065 invoked from network); 27 Jan 2016 01:19:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Jan 2016 01:19:04 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.173 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.160.173 mail-yk0-f173.google.com  
Received: from [209.85.160.173] ([209.85.160.173:34672] helo=mail-yk0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 48/74-56702-70B18A65 for <internals@lists.php.net>; Tue, 26 Jan 2016 20:19:03 -0500
Received: by mail-yk0-f173.google.com with SMTP id a85so223292390ykb.1
        for <internals@lists.php.net>; Tue, 26 Jan 2016 17:19:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=ztN7y8IVSoDvrTJLumSixtpIwTQagitUQLnrbEAxekY=;
        b=WjButSLZp0E9lynpA9EMmU1YRivXW8Tgbg5hnHd1nNC2XU+KQHlEaieUVMqZX1cWj2
         GZZXWUnV3BQr8Rj8wixpZFuOSrsibgc4kJ7eWkcm+iROmbN8wuyZS0zNwZE4Mv/MwrkD
         u7MvAKxcbG8QP4p6WxFsUAlv/XIA0A/3PTpEoV6/xQnKHdpbF3MlhEIpiKKcCB0kUaJi
         ZSfXraecPhtpUu7LnJ0jAfDY3Z6idaI7NfnVLlsdnIVxbAwjR3Zb51y0TJLXIZvyTvSG
         km63Bea9FDzNiKv1D3r70MF1+tvDZbREyxXsT9DttEZd8jCTwRwH2wJDyFALUmCusHoA
         rbyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc:content-type;
        bh=ztN7y8IVSoDvrTJLumSixtpIwTQagitUQLnrbEAxekY=;
        b=k2jkkZrwXbidF7I9cAdVTaUuAmCIMF2gomzytYCIyfvZe+mIWlNOCTCovtEDaOtvzU
         EUfBimgcyUAd4O7G+dKGSayCM15qBqXeq/syX8pUH46H99I6a7jpikjZz2QCjnqMh+8N
         ypKv4onfjrEnjZ+xwK1MUwi5axGAgEgtrtiI/hLoL/3YBwkq06HUe0hkDbcn1ShlZBoK
         q6M6YgoOALrHADaVWqrI1EBjZp9L6+laYgVOTAVZm0Q/ApBHbAO5FXvYglzjJ14arhOv
         AxYxTR/5iy4CRMA82uY2t7fxf0KTGutMAaAusOy2mQkRGM0ZUAeo5QaTDSkbSNWJdtu9
         BIvA==
X-Gm-Message-State: AG10YOTE925qd8GolAEfjPUYTWAR8IGwxoOFtamf9cWKYxtHV+wPIkNxBFQcwLGWHuSEc2eRpb1ixVnNweEBXA==
X-Received: by 10.13.226.129 with SMTP id l123mr13308683ywe.0.1453857540164;
 Tue, 26 Jan 2016 17:19:00 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.129.88.139 with HTTP; Tue, 26 Jan 2016 17:18:20 -0800 (PST)
In-Reply-To: <56A80C47.1020001@gmail.com>
References: <CAGa2bXbg_kebBVg3tSh4uFHZ6nQXRbjUXNQa0JZx9sezQqb5kg@mail.gmail.com>
 <CAGa2bXYZXkCJwFKVwaNfV+OEw0FzeFFbtxLm0zRmFVE_b4xsMw@mail.gmail.com>
 <CAGa2bXbRJMZFcXfZc9o7YnAhkDRfYKPjO+10k-eKXdoGNTREbg@mail.gmail.com>
 <CAGa2bXYGpV=P-680ig1LOkYWsSRS-Ya2rYVa3wo3vrxdT=zwiw@mail.gmail.com>
 <CAGa2bXbAH7iDFQ8HbvLKSbq9_ZUJLM1fn6aOWdz4+gYdtXVKjw@mail.gmail.com>
 <56A72B36.5060307@gmail.com> <CAGa2bXYPdiO8ZPRwRVJpWbKj6ctjNotGsaOtu=KZUZuV3iY_xQ@mail.gmail.com>
 <56A80C47.1020001@gmail.com>
Date: Wed, 27 Jan 2016 10:18:20 +0900
X-Google-Sender-Auth: 2YsrXgZOBzb-lRNhLH-zclP2mUs
Message-ID: <CAGa2bXYdxcW8-wSwwQU6VgaC2b707cUGkxpAOc28YQAMrdQikQ@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC Discussion] Precise Session Management
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Stas,

On Wed, Jan 27, 2016 at 9:16 AM, Stanislav Malyshev <smalyshev@gmail.com> wrote:
>>> About, since session_id() is a user function, what do we gain by
>>> limiting what it does?
>>
>> Prefix is a part of session ID and it should have the same requirement
>> as session ID for security reasons.
>
> I'm not sure why you're talking about prefix. I thought that the issue
> was that user can supply session_id() with the ID that is not good for
> some reason and you want to filter it on session_id level. Am I wrong?

Oops, sorry. Too many lines to reply, I misread session_id()/session_create_id()

session_id() sets session ID. Invalid char that cannot be accepted should be
rejected. Otherwise, user will have lost sessions without errors.

>
>> There is SessionHandler::create_sid(), but there isn't a function that
>> creates secure session ID.
>
> Why not? The ID created now is not secure? Why? I see it uses
> php_session_create_id(), do you mean this function is insecure too? Why?
> In any case, if you think it is insecure, why not fix it?

SessionHandler::create_sid() is for creating user own ID. Generating ID with
certain prefix.

SessionHandler::create_sid() may call parent create ID function,
though. If parent is session module's save handler, it will call
php_session_create_id().

Currently, there is no simple way to generate session ID with the form
of session module generates. i.e. hash_bits_per_characters=5/6. There
should be an API for it.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net