Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94376 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52670 invoked from network); 4 Jul 2016 22:23:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Jul 2016 22:23:50 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.41 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.218.41 mail-oi0-f41.google.com Received: from [209.85.218.41] ([209.85.218.41:34370] helo=mail-oi0-f41.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B5/92-30328-6F1EA775 for ; Mon, 04 Jul 2016 18:23:50 -0400 Received: by mail-oi0-f41.google.com with SMTP id s66so208117046oif.1 for ; Mon, 04 Jul 2016 15:23:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=rkhD/QP1QRz8m3tTmJOVQJQi6V1Xags7HGdqRgMuCTU=; b=FsSVDdwNQtXuTCH7kWc6JsoHXDKmweCHqC1Z24F1Hu0i+gMkJ6tmubuQWVN+/sXeNl uNPWj54eCXlUNVG+5/+v9+fLWb/uOd86XrQZ+IZPGxiyL0MyGWuWdAFGupcrnF7oZajU fK1DqLkqBph7f+4eoUOkD4y6IDzGlai0h47Ov4APvrj/yqKuuKXNMUQfM4tnSmW9HeZW R2/i8hvesV4J8JaeonqKhtCOGxwpTV02pi5fosmpZX/eBEqOVDXCVbcv/qc9PKGio+ag tmgdXwoHPBAtUfMw5lkiVJeDTwfpNKXXEa1q5ttTXy9kjQTJkLhTAA+YCDfKyip6aCAd QmnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=rkhD/QP1QRz8m3tTmJOVQJQi6V1Xags7HGdqRgMuCTU=; b=Q3Vgi1zwQ/vGbGme6j6u68OkX00cNymm39MKfghJrSMYvJ+oHS/3zQzQsk37MAJjrZ /j1hO63PgDzTriod9VowBpMWAkFm2s9ZLMlBtDFVF9ThChl5gZSjgEq7SVRA9gkp6Yhd lbhkjVUlriS4pgUOLw5QN2XKpKUVzICYigIWVH3GLMLAWsbPg0u3doQOSZieM5JDt9Fs Vcrp6yBM+27jx6cktuZcyWfygJ/q/G8RJTJ4B5vAQT2QfoQKpdOJ5FwJVi7WvjacMaSZ RjVElBr8W436uCinMdG3OFiREvdUHtnl32jySZ249Mkb97ZezE4486hp2g9PBPe7P2AS Oyzw== X-Gm-Message-State: ALyK8tJViwQAJ/H/9YIuDjWbHcHZl5Sfc1x9ng5yayOU27UxKIrjhDb6bmNpCABsEAgXgA== X-Received: by 10.202.85.148 with SMTP id j142mr8798066oib.121.1467671026782; Mon, 04 Jul 2016 15:23:46 -0700 (PDT) Received: from ?IPv6:2602:304:cdc2:e5f0:9974:196:cbd7:942? ([2602:304:cdc2:e5f0:9974:196:cbd7:942]) by smtp.gmail.com with ESMTPSA id 65sm3888961otx.16.2016.07.04.15.23.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Jul 2016 15:23:45 -0700 (PDT) To: Yasuo Ohgaki , "internals@lists.php.net" , danack@php.net References: Message-ID: Date: Mon, 4 Jul 2016 15:23:42 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [RFC][VOTE] Session ID without hashing From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > Could you share the reason why against this change? 1. I'm not sure exporting raw generator state is a good practice. I may change my opinion on the subject if I hear from some security people (I'm no crypto expert) that this is ok, then I may change my opinion. 2. Due to (1), I do not think it makes sense to do this change, because we produce no benefit (session generation speed is not that important since nobody generates millions of sessions at once) and create potential problems. -- Stas Malyshev smalyshev@gmail.com