Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94319 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 8840 invoked from network); 29 Jun 2016 00:10:00 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jun 2016 00:10:00 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.170 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.170 mail-pf0-f170.google.com Received: from [209.85.192.170] ([209.85.192.170:35864] helo=mail-pf0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E6/92-25084-8D113775 for ; Tue, 28 Jun 2016 20:10:00 -0400 Received: by mail-pf0-f170.google.com with SMTP id t190so11595004pfb.3 for ; Tue, 28 Jun 2016 17:10:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=6i0XxEc3aMn4YBkxJzk22E3rp92S0LJKCuzK716SN3E=; b=J28KWx2bnBXWr/Icwv/A+sabnXS2EwxrjN+0H65jGxtp+1j0zgBdgISkuGmRaxzYAV GymHl9ivo7V0HfxA6RcOxQZXTKMDVgA5Saor1IMlZOa93N+HcafyhpUwTfkVVjbmc7Qg YGDpGc7EeaqjZoUj4gHZLXU6+adLqj7YQUk9gaebtoWKbhmJPcXsY00eQSQA3++eKRvP XSL+Yziqdxh41zyRvGTHMMBh3JyJulu6W4x/oQvG7H776pEg2DqHoIt0H7SzVB3rdg90 iUMpqpE//s6RogXT0Ly9Fx5imRTsNGh/6y73kbEGTl/3FkDBQ7i+Yj8VL0kFt18KRomC ndTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=6i0XxEc3aMn4YBkxJzk22E3rp92S0LJKCuzK716SN3E=; b=XrAgegz7ttJ1+aLvM7dh5nc5MGQ28YC1ezZ2RGBiippfI/2Fuz9Q8nsu7DnVaY4q67 GTzQhN8z5JTogAxGCgZtAVouLeTdo44uGDnx6vghAZRVQ8oDS/Qe6IVT8062qEkQ0Ov9 1mJPyTAVfcOdA4s/M0Bf4YAjni5PjSDdVYpHLbXH59XPxx1PwXtsyZ3C3svxJ/korFru 1eNfd/sMpcElQ3h6L/XCGSz03Pbi4M6tRFj7YQ0ZGMrY4KPdJ/NAzV4EQwQ7HOJ2x5AZ yxOVXIa6cp01CxG6KuXqdr30TASZK3hRT3ZC+SbqexJvnYbQi/A47QU9c1Y2SHmijuX4 QM5g== X-Gm-Message-State: ALyK8tK4yHJaRZaHbMIMSC47mL8Y6tP8w0C68yz040owluT5jwkEGIAppGVKZJeKPwvCTQ== X-Received: by 10.98.83.68 with SMTP id h65mr6490556pfb.112.1467158997441; Tue, 28 Jun 2016 17:09:57 -0700 (PDT) Received: from ?IPv6:2602:304:cdc2:e5f0:941:d8e9:cff1:7b1c? ([2602:304:cdc2:e5f0:941:d8e9:cff1:7b1c]) by smtp.gmail.com with ESMTPSA id q88sm706703pfj.4.2016.06.28.17.09.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Jun 2016 17:09:56 -0700 (PDT) To: Yasuo Ohgaki , "internals@lists.php.net" References: Message-ID: <3dd66d47-9196-f1fd-82b6-ee0039c4da0d@gmail.com> Date: Tue, 28 Jun 2016 17:09:54 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Session ID without hashing From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Concern has been discussed is risk of broken PRNG and predictable > session ID. We may insist any platform must have reliable PRNG, but it > would be good idea to have least mitigation. Reading extra bytes > should be good enough for this purpose. I still see no reason to change it stated in the RFC except performance (which is irrelevant in all contexts I know of). It states the change but omits the reason why this change is necessary. Could you please add that part? -- Stas Malyshev smalyshev@gmail.com