Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:94670
Return-Path: <me@daveyshafik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79835 invoked from network); 24 Jul 2016 06:33:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 24 Jul 2016 06:33:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@daveyshafik.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=me@daveyshafik.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain daveyshafik.com from 209.85.220.182 cause and error)
X-PHP-List-Original-Sender: me@daveyshafik.com
X-Host-Fingerprint: 209.85.220.182 mail-qk0-f182.google.com  
Received: from [209.85.220.182] ([209.85.220.182:33403] helo=mail-qk0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 70/9B-05797-62164975 for <internals@lists.php.net>; Sun, 24 Jul 2016 02:33:10 -0400
Received: by mail-qk0-f182.google.com with SMTP id p74so133197231qka.0
        for <internals@lists.php.net>; Sat, 23 Jul 2016 23:33:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=daveyshafik-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=BGVJhFyLZiCKJ08PFHzApHPnRFU0S+GAweYlVZXGy5g=;
        b=OL8pUi4vNwWJy6c/RKjUP1bA+/8JGURcDc66arRDMqgoKUU0I50dqw4eFlT3sIfFO3
         zG2cpA/r2BL2TXMv8euEUZHZsg9YeCkSBuO5qR1u8yB9qVPF/QHRZxIb9UkRR9LHvBbJ
         PsOcvl6FQgH7uvFyLq/n4QZRtKKwIuZDX878dNM1TiobbdXUsIBK2mNXBb4MRGDy0drA
         r47FuzlVXifLCqSu4yENz+P56+VAjmmDCdtLSk4LrEuubMNAwrvDXyDRFit38Mmy0bLL
         6LxZ1ReOY7KYKaXEe+Bsjx4kA+zf9TLxlo+f5wRxDZ7OIgknqdnHHLCRnFm5zznpXMnZ
         M6qw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=BGVJhFyLZiCKJ08PFHzApHPnRFU0S+GAweYlVZXGy5g=;
        b=fh4Vor33X4qtYRYG2Pd/dBjb1b6wt705yKSGbN+nGW+42tZoBFthBmx2otDsvrd49l
         KCidKW7luIDekiol3+nd4MmYD6q4vTsbghOuJE2eec72p6d7TWH49y31K3ej0CGLbHaG
         zqrBT8mGM2WsJy8dBVR41TwCXjZSH1w0QzAWUCK1i6ln7/qEumUd/Jouj8JHtSot0wbU
         Vh9g26q0HJP6HDls9vSRwfY0tctTJuQrgrXFo8Zq8hbfoiH8Ww6iMk/OcMxil5rd6MHB
         rSRQVW77k0n6/FDQ8GNzLfyQTfDbQ09yP96P0sVirw1vkra+oAf1q1wlilW1kqIiRsab
         IMaw==
X-Gm-Message-State: AEkoouvQASIayh9Y7+Fvjnt9DO/LxvZ0uf8lc3XdLt0Nd3dIWtwaMw4qSUtDP4QHxKviV84kKEX8ovCdy1hx9ZsH
X-Received: by 10.55.170.20 with SMTP id t20mr15701679qke.162.1469341988265;
 Sat, 23 Jul 2016 23:33:08 -0700 (PDT)
MIME-Version: 1.0
Sender: me@daveyshafik.com
Received: by 10.237.55.138 with HTTP; Sat, 23 Jul 2016 23:33:07 -0700 (PDT)
In-Reply-To: <CAGa2bXZn5HiOD6LsotYDmUJKhGxxpp0xTsMSE2bp5HO0fsCmtA@mail.gmail.com>
References: <CAGa2bXZn5HiOD6LsotYDmUJKhGxxpp0xTsMSE2bp5HO0fsCmtA@mail.gmail.com>
Date: Sat, 23 Jul 2016 23:33:07 -0700
X-Google-Sender-Auth: KfSFStCO_xeHk8Qd1GMS1WXH-1w
Message-ID: <CANaX5nccP6LBVow1oaO6jzU0PRjaruRSjdhiZ8kb=071gpiUTA@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a114d502e43b59005385bd7fd
Subject: Re: [PHP-DEV] [RFC][VOTE] Session ID without hashing - Reopened
From: davey@php.net (Davey Shafik)

--001a114d502e43b59005385bd7fd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Just wanted to let you know I voted no because of the BC breaking change to
the INI options that could easily break many custom session handlers =E2=80=
=94 any
session handler that stores the sessions in a fixed-width column will be
broken.

I'm fine changing the defaults in the php.ini-*, but not changing the
defaults in the code. Also, documenting the better values as recommended.

Putting my RM hat on, I'm not comfortable merging this in 7.1 with an
unnecessary BC breaking change. Changing the default is the BC break,
regardless of the _ability_ to change the settings back to the previous
values.



On Sat, Jul 23, 2016 at 9:50 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi all,
>
> Due to a defect in the RFC, vote is reopened for a week. Removed lines
> are indicated by <del></del>. No additional lines nor modifications
> other than removed lines for session.use_strict_mode change.
> Sorry for the confusion!
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> Currently session module uses obsolete MD5 for session ID. With
> CSPRNG, hashing is redundant and needless. It adds hash module
> dependency and inefficient (There is no reason to use hash for CSPRNG
> generated bytes).
>
> This proposal cleans up session code by removing hash.
>
> https://wiki.php.net/rfc/session-id-without-hashing
>
> I set vote requires 2/3 support.
> Please describe the reason why when you against this RFC. Reasons are
> important for improvements!
>
> Thank you!
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>

--001a114d502e43b59005385bd7fd--