Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94357 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98078 invoked from network); 2 Jul 2016 08:17:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Jul 2016 08:17:13 -0000 Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.50 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 209.85.215.50 mail-lf0-f50.google.com Received: from [209.85.215.50] ([209.85.215.50:33639] helo=mail-lf0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 82/B0-28154-78877775 for ; Sat, 02 Jul 2016 04:17:11 -0400 Received: by mail-lf0-f50.google.com with SMTP id f6so90098461lfg.0 for ; Sat, 02 Jul 2016 01:17:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ZD+/iAHgOC3plZKHsKrcGAkecRHZZqd6TwrH6M6V73M=; b=AaezbOst80G8P+GmJfOuyx7T/78X4QGyeFe0ZIlprv3RH6RorTf/Wx/fRCqhFzrxi9 alg3THwKt67DnZytrPAtFXgpFIpV9F1+Pc7ITC+f4tZqMljrSNN4isNghuBOU+MpLXnM m9j/70BWCq9N5HZKfYzeS8MS4pXWCLBVxFPF5beAdiiLTWMG062aogb3VWEktItEDXiE jT3p7bPQj0y6YF8vt8ZtiyhbVS1QckYya6v+Ftx4FDIYO2JESWg88tuPLYo1GBbDhsYR pV6Q8/MQKFRVgR+dJGEAIST5aKKZ4TRw4rfq8Yl08D+2Xtt78Tx2aRmZFdL+XR3ztZkU Aimw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ZD+/iAHgOC3plZKHsKrcGAkecRHZZqd6TwrH6M6V73M=; b=hCb286gZaZP+7lMHf6LnZWbFfVBTScFFLYvGqm6NELmVodLS0ZHXuv+qILlerPovbc rgo4kRoKqS56fYYcNiFUN6Ug8rOC4GyDxZ5JIPE6dDr/jGg4GE4ATKfe3d1NdXTHb9a6 rKQDuP0ufFTbd542NuxjHcDGff2Jtcv01Vpye1IAeRkLkUm/0/JVYRecvik8rQA2nioA zrm/4iqiZhAor8453ntU7MEfmUsYikYB/3hn2Bsy+zerXY4Kc9Wcf3nbU/VgUqpRBY2u Zxn4ofD9ydNWXlrMookEfhCfsY9lnbApM30xaSR0xPgQUunIfJBfPnxb5wTPL2mMrCrD T6zA== X-Gm-Message-State: ALyK8tLIHKwvSsvMVe9nlXs2oDCFqE8Eb6sIRNTkwWukoO4fD5el9MurXTMmz0/RMh1wh8rAl1QUXDfPEw+76w== X-Received: by 10.46.33.193 with SMTP id h62mr513099lji.41.1467447428204; Sat, 02 Jul 2016 01:17:08 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Sat, 02 Jul 2016 08:16:58 +0000 Message-ID: To: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1142c028af4ec90536a2ba46 Subject: Re: [PHP-DEV] [RFC][VOTE] Session ID without hashing From: leight@gmail.com (Leigh) --001a1142c028af4ec90536a2ba46 Content-Type: text/plain; charset=UTF-8 On Sat, 2 Jul 2016 at 08:36 Yasuo Ohgaki wrote: > Hi all, > > Currently session module uses obsolete MD5 for session ID. With > CSPRNG, hashing is redundant and needless. It adds hash module > dependency and inefficient (There is no reason to use hash for CSPRNG > generated bytes). > > This proposal cleans up session code by removing hash. > > https://wiki.php.net/rfc/session-id-without-hashing > > I set vote requires 2/3 support. > Please describe the reason why when you against this RFC. Reasons are > important for improvements! > I support the idea proposed here, but I have issues with the implementation. You've changed a lot of defaults that may break things for some users (especially those using custom session handlers). I'll add some notes on github. --001a1142c028af4ec90536a2ba46--