Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94487
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46700 invoked from network); 12 Jul 2016 10:25:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Jul 2016 10:25:53 -0000
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org  
Received: from [82.113.146.227] ([82.113.146.227:40630] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E5/28-17655-EA5C4875 for <internals@lists.php.net>; Tue, 12 Jul 2016 06:25:50 -0400
Received: from localhost (localhost [IPv6:::1])
	by xdebug.org (Postfix) with ESMTPS id 2E84B10C004;
	Tue, 12 Jul 2016 11:25:47 +0100 (BST)
Date: Tue, 12 Jul 2016 11:25:47 +0100 (BST)
X-X-Sender: derick@whisky.home.derickrethans.nl
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
cc: "internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <CAGa2bXYLuxq2Yywr_v4B5ExQ37bWE9Fc45KLNCcXVQS3d47_kA@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.1607121124450.16349@whisky.home.derickrethans.nl>
References: <CAGa2bXaSkozJLLtycujwmHyas9TofRw5s6JzG0EQQvPyU0pxNQ@mail.gmail.com> <CAGa2bXYLuxq2Yywr_v4B5ExQ37bWE9Fc45KLNCcXVQS3d47_kA@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Session ID without hashing
From: derick@php.net (Derick Rethans)

Hi,

The voted-upon-RFC still has 

>     session.use_strict_mode (0 to 1) - Changed as insurance of broken PRNG implementation.

Although you said:

	It was moved to other RFC.

	https://wiki.php.net/rfc/session-use-strict-mode

And neither did you restart voting after modifying the RFC - or writing 
down in the RFC's changes that it got changed.

So what's the deal?

cheers,
Derick




On Tue, 12 Jul 2016, Yasuo Ohgaki wrote:

> Hi all,
> 
> On Sat, Jul 2, 2016 at 4:35 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> > Currently session module uses obsolete MD5 for session ID. With
> > CSPRNG, hashing is redundant and needless. It adds hash module
> > dependency and inefficient (There is no reason to use hash for CSPRNG
> > generated bytes).
> >
> > This proposal cleans up session code by removing hash.
> >
> > https://wiki.php.net/rfc/session-id-without-hashing
> >
> > I set vote requires 2/3 support.
> > Please describe the reason why when you against this RFC. Reasons are
> > important for improvements!
> >
> > Thank you!
> 
> Thank you for voting and the RFC has passed 13 vs 5.
> I'll prepare documents and merge the change in a few days.
> 
> Regards,
> 
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
> 
> 

-- 
https://derickrethans.nl | https://xdebug.org | https://dram.io
Like Xdebug? Consider a donation: https://xdebug.org/donate.php
twitter: @derickr and @xdebug