Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:92145 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 47255 invoked from network); 7 Apr 2016 19:01:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 7 Apr 2016 19:01:44 -0000 Authentication-Results: pb1.pair.com header.from=markus@fischer.name; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=markus@fischer.name; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain fischer.name from 62.179.121.156 cause and error) X-PHP-List-Original-Sender: markus@fischer.name X-Host-Fingerprint: 62.179.121.156 vie01a-dmta-pe01-3.mx.upcmail.net Received: from [62.179.121.156] ([62.179.121.156:23859] helo=vie01a-dmta-pe01-3.mx.upcmail.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 61/F3-48788-29EA6075 for ; Thu, 07 Apr 2016 15:01:39 -0400 Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01) by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.72) (envelope-from ) id 1aoFBO-0006Ng-SR for internals@lists.php.net; Thu, 07 Apr 2016 21:01:34 +0200 Received: from mail02.home ([213.47.8.56]) by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net id fX1Y1s00N1CY7x901X1aQU; Thu, 07 Apr 2016 21:01:34 +0200 X-SourceIP: 213.47.8.56 Received: from rage.home ([192.168.1.52]) by mail02.home with esmtp (Exim 4.72) (envelope-from ) id 1aoFBL-0007FB-Uv for internals@lists.php.net; Thu, 07 Apr 2016 21:01:32 +0200 To: internals@lists.php.net References: Message-ID: <5706AE83.4010004@fischer.name> Date: Thu, 7 Apr 2016 21:01:23 +0200 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam_score: -2.9 X-Spam_score_int: -28 X-Spam_bar: -- X-Spam_report: Spam detection software, running on the system "scanner01.home", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 06.04.2016 07:47, Yasuo Ohgaki wrote: > Session module does not require hashing to generate session ID. This > RFC removes hashing from session module and enable use_strict_mode as > an insurance for broken RNG. > > https://wiki.php.net/rfc/session-id-without-hashing [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: php.net] -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Session ID without hashing From: markus@fischer.name (Markus Fischer) On 06.04.2016 07:47, Yasuo Ohgaki wrote: > Session module does not require hashing to generate session ID. This > RFC removes hashing from session module and enable use_strict_mode as > an insurance for broken RNG. > > https://wiki.php.net/rfc/session-id-without-hashing I cannot talk about the merits of the randomness-change here, but use_strict_mode defaulting to 1 is major +1 from me. Why it's advertised everywhere as best practice but even set to 0 in php.ini-production is beyond me. - Markus