Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94297 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 46957 invoked from network); 28 Jun 2016 10:59:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jun 2016 10:59:44 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.175 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.216.175 mail-qt0-f175.google.com Received: from [209.85.216.175] ([209.85.216.175:34897] helo=mail-qt0-f175.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id FA/90-41838-E9852775 for ; Tue, 28 Jun 2016 06:59:42 -0400 Received: by mail-qt0-f175.google.com with SMTP id f89so5363863qtd.2 for ; Tue, 28 Jun 2016 03:59:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=lEYcGM5BOD3iudvvVLhK5rbABIo1bt8lquSr3cfvByg=; b=eNFqzrFJPvs3ZFuKDAWaDPTWuEPY1tlrSMUSlb8S5feF3dTBC8VRImjZTSS+7KzPgQ K+/yTA1hw/3RNJYHdba5XN4HM8uNMkzI80M0fbwhEDWH6IUOx8pgFdKq7csDeOsGf4o7 W9zDCJPkb7+WtAEaTF9NimA2dfYMLEH6WeJaGeEOsIMYVq3QHD0FZuGoR8PfCLrn7F7q PCFXXMMpuk6ufKHq8cg3V8xhbTeGwKidPPbVOGT7N0+hK5FdEAfZBuGF94VOx+T+u7OM 7T2lWpti0bu1LPkq8YEj2R2sGL0tnE+U6Qtjuib3zokICC+qyXMT3DlkQ5eW+RreigqQ ECRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to; bh=lEYcGM5BOD3iudvvVLhK5rbABIo1bt8lquSr3cfvByg=; b=FN/I4/AsSdyRI1QZ8CtZvOPWuAZA3jPX4Efm7LjTjfdVeY5zViYdNBcbT1tQFIG8UP OdfipXGAx4kHFVR8jfXkPp9xW+A+4Wp6d7g1wkfZ+n0e3y9Ei29QxdnOoCq+pXBUWsMK ApCuvQ3wGDgZTGm95E3645Wb9i5fB3dkYqmWkLCGOTdRx2FKUTXQgogBEbhXU1tFzkQt 8q8nG73ACtdJWHepB7BkhnS2FNsTGtQ++tXYAfAq8Q741Y/aq4RhVdgV3puRoMY+AVI9 QGCCzqo/4G4e0RfB/hcs/XoonLPy6LUayCuZsgAOvNOZfLsOt8Y2YHCzNP7boxxNfSKR On9Q== X-Gm-Message-State: ALyK8tKNHjcQHs+J0pJy73M1rDB27KByP0PxzBRWrFRlu7l18ZiDRo7KSKaslijtTJrPiHuoNT0XrUcB9Oxkow== X-Received: by 10.237.54.5 with SMTP id e5mr632176qtb.41.1467111580299; Tue, 28 Jun 2016 03:59:40 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.17.33 with HTTP; Tue, 28 Jun 2016 03:59:00 -0700 (PDT) In-Reply-To: References: Date: Tue, 28 Jun 2016 19:59:00 +0900 X-Google-Sender-Auth: sEzV3KsRSqY-NuwBYy4gXmYym3w Message-ID: To: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [RFC][DISCUSSION] Session ID without hashing From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi all, On Wed, Apr 6, 2016 at 2:47 PM, Yasuo Ohgaki wrote: > Session module does not require hashing to generate session ID. This > RFC removes hashing from session module and enable use_strict_mode as > an insurance for broken RNG. > > https://wiki.php.net/rfc/session-id-without-hashing > > Comments are appreciated! It's been a while since last discussion. I would like to add this change to session module at least for PHP 7.1. Concern has been discussed is risk of broken PRNG and predictable session ID. We may insist any platform must have reliable PRNG, but it would be good idea to have least mitigation. Reading extra bytes should be good enough for this purpose. I also changed minimum length of session ID from 32 to 22 for better compatibility. 22 is the length with MD5 hash and hash_bits_per_character=6. PR would be updated soon. I would like to start vote after PR update, so please post comments if any. Thank you. -- Yasuo Ohgaki yohgaki@ohgaki.net