Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94358
Return-Path: <leight@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 421 invoked from network); 2 Jul 2016 08:39:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Jul 2016 08:39:26 -0000
Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.41 as permitted sender)
X-PHP-List-Original-Sender: leight@gmail.com
X-Host-Fingerprint: 209.85.215.41 mail-lf0-f41.google.com  
Received: from [209.85.215.41] ([209.85.215.41:34909] helo=mail-lf0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9A/11-28154-CBD77775 for <internals@lists.php.net>; Sat, 02 Jul 2016 04:39:25 -0400
Received: by mail-lf0-f41.google.com with SMTP id l188so90310922lfe.2
        for <internals@lists.php.net>; Sat, 02 Jul 2016 01:39:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=3nmcEdEy06tuKaOPobmkQdDPZxepIj6NtfHdZQWd1jA=;
        b=DE7k20YOx6hmESrWRcslGH+6FOLVC6Wz8/qUyMES8Ls1lV1drjX83RuXzfGILpjDRz
         4Dsicgtsc1zP56nG5VJCLQETe5f0tiTZy/uyh5LREdnohBt/wN5REndf0kMFP9qG4QTl
         YBhdpuF5tgqfVQ2zi8WR2N8VVXlv9CWUj+Zmn0kBZ3vBwnaECJgpveukpHcgal2IbJzC
         mj0pMU4/ztql2UqPm7UX9l9oCdkjPnyVDxdyr05CdRoNTeRi/r6UrJ5wbsww99Cl4ylP
         qm39gZGPpvF9m6o/eWFRKV17z4bKCs29NtFrzsOPDmPL1sKNh9/qKrPbmlxq6ZMbi74R
         kNkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=3nmcEdEy06tuKaOPobmkQdDPZxepIj6NtfHdZQWd1jA=;
        b=aiVINuNIPbILbGI/QoBBLKLyArjRFB0nxx04S8LFNWZ8qVPKPVJSv6rs2QuQJ5xXuf
         mNmJeGRoEXpGh0qtPtn9XXq08fcI3hykup26/vkvxJMfIRyieBS5DBa+j4edgLYJ2kUh
         cfkmHEZ7weaGg8m8ekoNCFvEc8pf9KACJUczorCkO0y0Wd3LHd8+LNwzVsTkeCYGprD6
         tUcBbfitqtaSzhKPxNkG/Yl4yXU3TVa3zayk+EF74aKpX4p1rVRIO0Hj99JEBf/zo/fp
         SvqKI6yGQW2ox4GnI4z85hD5H9oT5x+ZCLK4bo88TPkOEi3f3QLWW1ZYlydwncshGNxY
         GDnA==
X-Gm-Message-State: ALyK8tLJUCYv466Z+iwT9MTw2KVelCkeSTlzJIwYb4L2PhSDwrwGnOt9JYYaS0PiR+5JTbktslsReeUFAuNMkw==
X-Received: by 10.25.210.20 with SMTP id j20mr530953lfg.139.1467448762219;
 Sat, 02 Jul 2016 01:39:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAGa2bXaSkozJLLtycujwmHyas9TofRw5s6JzG0EQQvPyU0pxNQ@mail.gmail.com>
 <CAPwsocEffWVhzjNHVA853J+1VfmrhstZ0inihhQVHW=VfLS6Eg@mail.gmail.com>
In-Reply-To: <CAPwsocEffWVhzjNHVA853J+1VfmrhstZ0inihhQVHW=VfLS6Eg@mail.gmail.com>
Date: Sat, 02 Jul 2016 08:39:12 +0000
Message-ID: <CAPwsocEAvcRoH7FmKHh+eUMd=044Jm8DfwyM_Mb22W4UPvXE=w@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a114003c632c14d0536a30a07
Subject: Re: [PHP-DEV] [RFC][VOTE] Session ID without hashing
From: leight@gmail.com (Leigh)

--001a114003c632c14d0536a30a07
Content-Type: text/plain; charset=UTF-8

Actually decided to post so

On Sat, 2 Jul 2016 at 09:16 Leigh <leight@gmail.com> wrote:

> On Sat, 2 Jul 2016 at 08:36 Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>
>> Hi all,
>>
>> Currently session module uses obsolete MD5 for session ID. With
>> CSPRNG, hashing is redundant and needless. It adds hash module
>> dependency and inefficient (There is no reason to use hash for CSPRNG
>> generated bytes).
>>
>> This proposal cleans up session code by removing hash.
>>
>> https://wiki.php.net/rfc/session-id-without-hashing
>>
>> I set vote requires 2/3 support.
>> Please describe the reason why when you against this RFC. Reasons are
>> important for improvements!
>>
>
>
 So I have a few issues that span the RFC and the implementation.

Your RFC states

> hardcoded default and php.ini-* default values are the same.

This is not the case.

Originally the session id length and character set were controlled by
session.hash_function and/or session.hash_bits_per_character. These
customisations to configuration will be lost when the user upgrades. You
have provided a mechanism to control length and charset, but it will
require new changes to the default settings. This needs to be noted as a
breaking change.

Your default for session.sid_length is 48. Up to 7.1 the session id length
is 32. Your default for session.sid_bits_per_character is 5, up to 7.1 the
session id uses 4 bits per character. This is a breaking change. (Imagine
custom session handlers that validate session id character sets, or
database schemas that will truncate after 32 characters)

Your patch updates session.use_strict_mode from 0 to 1. I actually don't
know what this changes, but it's an undocumented change.

Overall your patch looks very similar to the one I was working on earlier
in the year, although you appear to have deleted a bunch of tests that you
could have just updated. You should probably put those back, and update
them.

--001a114003c632c14d0536a30a07--