Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:92151
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70520 invoked from network); 7 Apr 2016 23:36:25 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Apr 2016 23:36:25 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.172 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.172 mail-pf0-f172.google.com  
Received: from [209.85.192.172] ([209.85.192.172:34593] helo=mail-pf0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 51/D7-48788-8FEE6075 for <internals@lists.php.net>; Thu, 07 Apr 2016 19:36:24 -0400
Received: by mail-pf0-f172.google.com with SMTP id c20so64555544pfc.1
        for <internals@lists.php.net>; Thu, 07 Apr 2016 16:36:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=7lvqQW8VldjqmTTfCSTBUo1u8/MjcvE3RgKnHORYjdc=;
        b=B8UKKaAEhxlA3FA3VFxLwLg1494DpmmfRssBSYUM8SYX25F3lvCR4cEgLiYYhfq7f9
         RQQAdhc+iAfALerH1olYQuLUUgJ2OW8cDra01pMdxqjSi3j3ux1G+6VRMjYyN84q97/I
         QZ0MhMemUtry5HRK20Nc8tqNGR0OdS9/KmwnwOJTvhfyNDNGi0XwCNi59I4sBTfAl77m
         ttoMNzatQGiNkj4Uo5X5mcYOZ9KBTNeiJ9sSKwKR72qZrBsa6vK/cXBoG1EyKGdojjU0
         M9KWqvI1VTZpw0b9CZtM2oMCMMaDZ1OBrOYWWJgOU2IUZO5Z2s5UMdd8Qxt/RGp4QSQ6
         GPUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=7lvqQW8VldjqmTTfCSTBUo1u8/MjcvE3RgKnHORYjdc=;
        b=HYhQ/GjWQ51y8v5FmpJdHdv7UymqZq1j8C+cxXRQ3FIiQeavmwmZIHFU+y9T5rypHu
         eY0DZ2gUj1YI7mcW6x5dZKtYS/GmdKB8XERjdfi+9RcTojNAKYBA7rAnhnaiXJixk1Xi
         XAW3uVgxO/03q/tXK3QrRXuDInozOImJ7jjjkvmM/sRqJzddWkzt/eN/ax4KyWa3Xdn7
         D55PN1AP6Nlo107DqjP2Mb5w89vSZo6e83v2Uon19gfELAr+rVT5bK/a+l3Eq3paOfFv
         nLGSWhvbE4y4TjBZv1i7CFCl/e/30i0k2EAwW5jDjglXDeTVU340Y/J589rCNmwP4cqo
         gj9A==
X-Gm-Message-State: AD7BkJL7LWnpABxqEESwVq/dS+7GxWgeHL0gTO6dW9tWOTlZDxSPxF080akE0paD7CpoBw==
X-Received: by 10.98.32.23 with SMTP id g23mr8235905pfg.74.1460072181849;
        Thu, 07 Apr 2016 16:36:21 -0700 (PDT)
Received: from Stas-Air.local (76-220-46-95.lightspeed.sntcca.sbcglobal.net. [76.220.46.95])
        by smtp.gmail.com with ESMTPSA id d12sm14472023pfj.85.2016.04.07.16.36.20
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 07 Apr 2016 16:36:20 -0700 (PDT)
To: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXY3Zdrq-vU6_gCJVC3smP7DooBsKFNmQpz=ksdKsQORbQ@mail.gmail.com>
Message-ID: <5706EEF3.3050705@gmail.com>
Date: Thu, 7 Apr 2016 16:36:19 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0)
 Gecko/20100101 Thunderbird/38.7.1
MIME-Version: 1.0
In-Reply-To: <CAGa2bXY3Zdrq-vU6_gCJVC3smP7DooBsKFNmQpz=ksdKsQORbQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Session ID without hashing
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> Session module does not require hashing to generate session ID. This
> RFC removes hashing from session module and enable use_strict_mode as
> an insurance for broken RNG.
> 
> https://wiki.php.net/rfc/session-id-without-hashing

I'm not sure why that should be the default. First of all, I'm not sure
exporting the state of the PRNG is that good an idea, there may be
vulnerability in the PRNG that could be opened (or made easier) for
exploit with direct access to its output. I'd rather not provide this
opening unnecessarily. Second, I do not see why we need to do maximum
breakage change if we could just make an identity "hash" function and
support both cases. "Session generation performance" does not have a lot
of meaning here - I'd be very surprised to see any application that is
bound by the speed of generating session IDs.

Also, I don't see how use_strict_mode change is related to the hashing.
Could you explain?
-- 
Stas Malyshev
smalyshev@gmail.com