Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94320 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24324 invoked from network); 29 Jun 2016 07:48:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jun 2016 07:48:31 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.176 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.214.176 mail-ob0-f176.google.com Received: from [209.85.214.176] ([209.85.214.176:33774] helo=mail-ob0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 96/A3-25084-E4D73775 for ; Wed, 29 Jun 2016 03:48:30 -0400 Received: by mail-ob0-f176.google.com with SMTP id xn17so14551672obc.0 for ; Wed, 29 Jun 2016 00:48:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CiWF+kj5QbGS/qXDyewIqTzYs2qNFWdvESsACVdskro=; b=bkleH+uyHfOSV7txvjvXwuVST//6oo8aisppaMR6LKCd94vCcZ64a+X6qY4M2JB3wy PTpTzxqjSNgETKwhvmAo3GF554yTtyMahaihk4nb9m25mLBB9nOzSD1jF7WjVTERlgJe DwPGlr/w1saEJJKduQhZkuvK0cFkrxNA+p2UQh+SmBzMOGcLYe6HYDyFwvG1YfOYRmnO Rf5DuzWMUA6OxQt0lTn5+gTo7jwe2UVLxk9teWZ5+ujpReDoZxqyWt3PoWeWxNNmdRqO W9Zgb8XIvgsfLNu7WVMY7lHMt03l1k1DoclfzZTvisOIA3gfCuuhY7l0rpnnNiM66YiP DScA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CiWF+kj5QbGS/qXDyewIqTzYs2qNFWdvESsACVdskro=; b=gnwVcYpLXkGiIRkqxrTT/Fy0gCuklLSUhi/tV3sqGM2vACTTZBAV9ZCgtGkwUfyWr0 ziGvLJb7i9VZ2VluJfWQhUYWXHPrna6GhtIA5q6JLD8XuPeGfjEfeuMTXO3W2JJQXN/V UE76iyzoK6+tA0NUZFTnR8G/U95BruugtUnh5rj1EIiq1EwF67BDkV6IgTbDSE1rN4mA KU3hHjKDQdJxkJl8WIyqzueJv9IvIJJiAU+XD7MMKXKForJ/pUG8K+DpwB5c+UEp6k0I xMM963RIxsfL07aSfhvuXYrNEu6CS1XNCJS0OmhT6t4d1cnUtDlPqqpNSgPCEni4pUL1 nBcg== X-Gm-Message-State: ALyK8tLo2LOesH7ubr80ZguXC+no+aIgL1yt4aTHkluXxkydyrFoiJwCAUZLiLPkXRCg5yuW48R3PizoLU8SaQ== X-Received: by 10.202.225.212 with SMTP id y203mr4170649oig.47.1467186507093; Wed, 29 Jun 2016 00:48:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.190.3 with HTTP; Wed, 29 Jun 2016 00:48:26 -0700 (PDT) In-Reply-To: <3dd66d47-9196-f1fd-82b6-ee0039c4da0d@gmail.com> References: <3dd66d47-9196-f1fd-82b6-ee0039c4da0d@gmail.com> Date: Wed, 29 Jun 2016 14:48:26 +0700 Message-ID: To: Stanislav Malyshev Cc: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Session ID without hashing From: pierre.php@gmail.com (Pierre Joye) Hi :) On Wed, Jun 29, 2016 at 7:09 AM, Stanislav Malyshev wrote: > Hi! > >> Concern has been discussed is risk of broken PRNG and predictable >> session ID. We may insist any platform must have reliable PRNG, but it >> would be good idea to have least mitigation. Reading extra bytes >> should be good enough for this purpose. > > I still see no reason to change it stated in the RFC except performance > (which is irrelevant in all contexts I know of). It states the change > but omits the reason why this change is necessary. Could you please add > that part? Same here. I have to ask again what prevents you to write your own custom session module and do everything you consider as safe in there. But this kind of changes sounds not very helpful and not really done for valid reasons (for that one). I fully understand the goal to secure (and this is a very open definition) session manage for php but this cannot be done in step by step basis. Cheers, -- Pierre @pierrejoye | http://www.libgd.org