Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93266
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 56067 invoked from network); 12 May 2016 11:30:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 May 2016 11:30:18 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.169 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.220.169 mail-qk0-f169.google.com  
Received: from [209.85.220.169] ([209.85.220.169:36305] helo=mail-qk0-f169.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 78/8B-28272-84964375 for <internals@lists.php.net>; Thu, 12 May 2016 07:30:17 -0400
Received: by mail-qk0-f169.google.com with SMTP id x7so40960517qkd.3
        for <internals@lists.php.net>; Thu, 12 May 2016 04:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=Yn9bLC3ccRr+qBRkT/L5cMKWIo9QdF2wKF9dLccWz8g=;
        b=SkaWBf0vjhYwDpQmaZrc2umbmglgYPW0CjeznfyUEAJCLEEtNoj6Wp9tk07wwX2kuz
         QuKZ/UyTxTYuO0CQC96hHrLU/qjAtF6QB7/ssufNS3kBuOz/CU8h0ZzkkccgQQihoiiE
         owCZ52mCoFRONpEVk0qzP2c9ylENh3Z02dDJXtBXdNyIFv387giPzCMz7BA6qiTKbHG0
         WGecioPoTJMA2C7IC4jvwt5WFBYi14Eo4MJFxkxF+VEwKInnb8Bdlp4FylWeWHI4MJYq
         N55mHlgd75tlXKSTEiJz8BgfXnqPJIYqy4PFe4NTgMF00/TMe/kC7jizuNlBz5trnQV2
         9qhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=Yn9bLC3ccRr+qBRkT/L5cMKWIo9QdF2wKF9dLccWz8g=;
        b=QJ1BsZZawYckxVAQn9MWIhBFbnf7wJbr295j2XrL2U19OZL/mWJeJle6scBuTmi6Jf
         P3eLD6uWevc7uePiEaNlxzBJ25q5ABw60ho3pmxU9nA7BcigRjcUmhlkqtiXFqElZW2o
         Tf3GlEg8Aqd0THQT4UUutWQGsXO4fH/NqMKEkBqalq5AK9ADi1gsBZWGt4kQHJtBcJzw
         g124EdyG+y5Yfa5udYjxg3gBCmLTpkYHrQepUQPHoyJUmPOSWmekKDz+HtrLUG0tQDNc
         AGmGr4hZ8Yv/R9HI774JWZgMLCqj+QlfKsEnXhDRo7AFKY8B5zCiARA5A53HmUcT3P1t
         foig==
X-Gm-Message-State: AOPr4FVNgDjAf0sUAfOWnLE0FLblnJoEzsOb+TNIlZ/VLaNzTu/bvZZrIPKa1JR2m6iWqagVUfaUbwrWEclxWQ==
X-Received: by 10.55.80.136 with SMTP id e130mr9425973qkb.28.1463052613985;
 Thu, 12 May 2016 04:30:13 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.140.27.133 with HTTP; Thu, 12 May 2016 04:29:33 -0700 (PDT)
In-Reply-To: <57344C6C.2060707@lsces.co.uk>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
 <c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com> <CAGa2bXboop3KDFnYtcdO-K+hL0To5te_yeHeFEFO-kCVuzNOJQ@mail.gmail.com>
 <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> <CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
 <CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
 <CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com>
 <CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
 <CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
 <CAGa2bXbX_YhpJEr+9XjTb3xxgb2KTw=LEjC97A0vM4_WNiSvnA@mail.gmail.com>
 <CAL0xaBF8e7PhY_hqNYwNvxwRiha1=rUtLBfugUNC2FGf2FndzA@mail.gmail.com>
 <CAGa2bXa8B+4vuOiWNSt79gcSvyr2aAKv_VEbigiKTVsuaZT89g@mail.gmail.com>
 <CAEZPtU7SW+yDmv_uNr_YB3MeVq_saiySaDZpF2jTOQqBzbw9Mg@mail.gmail.com>
 <CAGa2bXbwJHRES6Bf+u07pO2e9WS6C+sTwjoY9p8kWAUntSLbCQ@mail.gmail.com> <57344C6C.2060707@lsces.co.uk>
Date: Thu, 12 May 2016 20:29:33 +0900
X-Google-Sender-Auth: hUzYqfZHBOpjK4wM682AQ1_Vk_c
Message-ID: <CAGa2bXayMhvYLwrTdnwzs=PJr3WaLLOeTQvKZOu+fdMJ79U=Rw@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Lester,

On Thu, May 12, 2016 at 6:27 PM, Lester Caine <lester@lsces.co.uk> wrote:
> On 12/05/16 04:19, Yasuo Ohgaki wrote:
>> It could be an option that abandon session module and let users to
>> implement decent session manager because we are taking too long time
>> even for mandatory things even if there are implementations. It is
>> simply taking too long time to fix them. I'm half joking, but half
>> serious :)
>
> Yasuo ... THIS is the situation with a number of elements of PHP, and I
> DO understand where you are coming from. PHP is nicely modular and so
> creating a complete module ... well documented ... clean API ... makes
> perfect sense. Getting acceptance may be a different matter, such as
> switching from mysql to mysqli, but it does provide a document-able
> upgrade path for the problem in hand.
>
> I'm the first to admit I rely on the simple options so still use
> anonymous session for the majority of users simply because they are
> never going to log in, while I conciser and authenticated user as a
> different animal so needs a different type of security. That is the main
> reason I posted the 'off topic' bits earlier in this thread. It IS a
> matter of what is the ideal set-up for the vast majority of PHP users
> who can justify laying out lots of money for the best chargeable
> security, and there is now at least a path that can be documented to
> help them which includes https, sessions and authentication?

I was half serious and willing to maintain/improve session module,
security related area especially.

Anyway, session module should be like RDBMS, not NoSQL. I don't want
to care about locks, race conditions, synchronization,
vulnerabilities, etc. It should just work out of the box with
reasonable default behavior. IMO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net