Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94410
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55370 invoked from network); 7 Jul 2016 12:29:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Jul 2016 12:29:56 -0000
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org  
Received: from [82.113.146.227] ([82.113.146.227:42100] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F2/B7-18622-14B4E775 for <internals@lists.php.net>; Thu, 07 Jul 2016 08:29:54 -0400
Received: from localhost (localhost [IPv6:::1])
	by xdebug.org (Postfix) with ESMTPS id 057FE10C00F;
	Thu,  7 Jul 2016 13:29:49 +0100 (BST)
Date: Thu, 7 Jul 2016 13:29:48 +0100 (BST)
X-X-Sender: derick@whisky.home.derickrethans.nl
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
cc: "internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <CAGa2bXaSkozJLLtycujwmHyas9TofRw5s6JzG0EQQvPyU0pxNQ@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.1607071328040.8737@whisky.home.derickrethans.nl>
References: <CAGa2bXaSkozJLLtycujwmHyas9TofRw5s6JzG0EQQvPyU0pxNQ@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Subject: Re: [PHP-DEV] [RFC][VOTE] Session ID without hashing
From: derick@php.net (Derick Rethans)

On Sat, 2 Jul 2016, Yasuo Ohgaki wrote:

> Hi all,
> 
> Currently session module uses obsolete MD5 for session ID. With
> CSPRNG, hashing is redundant and needless. It adds hash module
> dependency and inefficient (There is no reason to use hash for CSPRNG
> generated bytes).
> 
> This proposal cleans up session code by removing hash.
> 
> https://wiki.php.net/rfc/session-id-without-hashing
> 
> I set vote requires 2/3 support.
> Please describe the reason why when you against this RFC. Reasons are
> important for improvements!

I'm voting "no" bceause of

    session.use_strict_mode (0 to 1) - Changed as insurance of broken PRNG implementation.

And it not being mentioned in BC breaking changes. It changes behaviour 
of session IDs, as it shown in the manual:

 session.use_strict_mode boolean

    session.use_strict_mode specifies whether the module will use strict 
    session id mode. If this mode is enabled, the module does not accept 
    uninitialized session ID. If uninitialized session ID is sent from 
    browser, new session ID is sent to browser. Applications are 
    protected from session fixation via session adoption with strict 
    mode. Defaults to 0 (disabled).

cheers,
Derick