Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94328 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 79806 invoked from network); 29 Jun 2016 21:00:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Jun 2016 21:00:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.174 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.220.174 mail-qk0-f174.google.com Received: from [209.85.220.174] ([209.85.220.174:33027] helo=mail-qk0-f174.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 4A/F0-06473-1F634775 for ; Wed, 29 Jun 2016 17:00:33 -0400 Received: by mail-qk0-f174.google.com with SMTP id q79so111111231qke.0 for ; Wed, 29 Jun 2016 14:00:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+uGpMuoF+PlxqKM4AAgh7lYOS8qCwLQJRfCMk7pn7W8=; b=zm3M4ZuhE/71VgcK6WIBMvPjiiWga6hwkwWr9dSm5iyA7CToRPuUcTMPE+1LCqfAOR eKBtc121TfCZbonNa2XPGD6+dQlZGC2VmTbVxW+S7shu+UEz1CZd5Xw/gLO4Sc1Yg1A9 yj2qUft7JFoH0gQok/DuBomQJMj1tYKD2B34CqO/ili0xKnTA+Bwi1j6gpvT7z3r15rD OUSi5zbUDDTKQOpAnRb34Zl+7b2/JPcBCPadzRzB7OTOSls88cOJqR+uHSCjp5qX4+Xx hGvJrNeq7lgHNO914aPhXCQplv/expxNqJ0Ldt9mGHuD/9MtPb2eeEcB0NvTX08/pqgP lTSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+uGpMuoF+PlxqKM4AAgh7lYOS8qCwLQJRfCMk7pn7W8=; b=IRFo4cmU9sch9l5dAJcwNzaULm07BIEvKLPARSt7lhje3Rc0qtafL3NgbGx7CNlh8C 3K5k+1SX+JwNOFcF0SqsFIwm0ctCr5wDeS5AXXBnXtSF9CeG0sz33g0lZPgD3hLFKttY qQlasKYYVPZwYI0pgbfB6MJoRnHUA4XIxtydKtFAt+Jt7xNa0l7stQ92eci87IwAaZfs d6xZMbBZKfLhrpmsP4QU/B3AWZkU3ZoK9gaw4QuTCLaXxCtfg2IMTvu7lF/wyvHQiik6 rRfq3KMV61Ob84Fv2D6P9BUvF6cfmOK7BnAu4Th+J8WDRzulfPz/NZgG7CX6Liz24f5C qsIg== X-Gm-Message-State: ALyK8tKswOK5NWtj7Gi8Ry2iMCKiOIwwIcEfhj67UGIlUcqWZdeAVurX8lO3bnXkMLsaBwEldyJ6PZyyunWYUw== X-Received: by 10.55.188.198 with SMTP id m189mr12387098qkf.205.1467234030681; Wed, 29 Jun 2016 14:00:30 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.140.17.33 with HTTP; Wed, 29 Jun 2016 13:59:51 -0700 (PDT) In-Reply-To: <3dd66d47-9196-f1fd-82b6-ee0039c4da0d@gmail.com> References: <3dd66d47-9196-f1fd-82b6-ee0039c4da0d@gmail.com> Date: Thu, 30 Jun 2016 05:59:51 +0900 X-Google-Sender-Auth: HGs49P_gqVUw9iewpFBRjvLJRH4 Message-ID: To: Stanislav Malyshev Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Re: [RFC][DISCUSSION] Session ID without hashing From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stas, On Wed, Jun 29, 2016 at 9:09 AM, Stanislav Malyshev wrote: > >> Concern has been discussed is risk of broken PRNG and predictable >> session ID. We may insist any platform must have reliable PRNG, but it >> would be good idea to have least mitigation. Reading extra bytes >> should be good enough for this purpose. > > I still see no reason to change it stated in the RFC except performance > (which is irrelevant in all contexts I know of). It states the change > but omits the reason why this change is necessary. Could you please add > that part? Sure. The main purpose is clean up. The reason we have messy session ID creation code for hashing and generating random bytes is we didn't have reliable cross platform PRNG code. We have it now, so no reason to keep complex/redundant/inefficient code. I'll add this. Thank you. -- Yasuo Ohgaki yohgaki@ohgaki.net