Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:94995 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84502 invoked from network); 10 Aug 2016 10:04:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Aug 2016 10:04:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:49706] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DB/32-08042-24CFAA75 for ; Wed, 10 Aug 2016 06:04:51 -0400 Received: (qmail 83027 invoked by uid 89); 10 Aug 2016 10:04:46 -0000 Received: from unknown (HELO mail-qt0-f181.google.com) (yohgaki@ohgaki.net@209.85.216.181) by 0 with ESMTPA; 10 Aug 2016 10:04:46 -0000 Received: by mail-qt0-f181.google.com with SMTP id 52so18301758qtq.3 for ; Wed, 10 Aug 2016 03:04:45 -0700 (PDT) X-Gm-Message-State: AEkoous6ii5WxcDG+D+IFcnf4iY0q67RLOonzQYhm8dOh8Mq9BdSw3y7sVgq3QxFMc2G7+Q+AlYe+lOreOcR/g== X-Received: by 10.200.45.181 with SMTP id p50mr3053703qta.31.1470823479903; Wed, 10 Aug 2016 03:04:39 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.242 with HTTP; Wed, 10 Aug 2016 03:03:59 -0700 (PDT) In-Reply-To: References: Date: Wed, 10 Aug 2016 19:03:59 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Marco Pivetta Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Marco, On Wed, Aug 10, 2016 at 6:31 PM, Marco Pivetta wrote: > The RFC mentions "Without session_create_id(), user has to implement their > own bin_to_readable() in user land.". > This pretty much makes it clear that a userland implementation is feasible, > and thus it should indeed be implemented in userland when possible. > > That's my reasoning for voting "no". Thank you for sharing your idea! > This pretty much makes it clear that a userland implementation is feasible, > and thus it should indeed be implemented in userland when possible. Actually, it's not with C written 3rd party session save handlers. Properly written save handlers should have internal s_validate_sid() function to check session ID collisions. User script cannot access to save handler internals. Therefore, it requires a lot of work if user try to create session ID properly. i.e. Validate generated session ID string does not collide. There is API design issue also. Let's say we add string str_bin2readble(string $binary, int $bis_per_char); then we need string str_reable2bin(string $readble_bin, int $bis_per_char); Internal bin_to_reable() function is not designed to reversible, i.e. It cannot convert $readable_bin to $binary, because it does not care trailing bits that cannot fit into a char. I need more info these function to be reversible. i.e. string str_reable2bin(string $readble_bin, int $bis_per_char, int $number_of_bits_in_readble_bin); These APIs do not look good to be usable... I hope I explained well the reason behind to have session_create_id(). Regards, P.S. I would like to change session_regenerate_id() accept 'prefix', but it has 1st parameter that I would like to remove in the future. This is the reason why I didn't change session_regenerate_id(). It requires a lot less user code session_rengenerate_id('myprefix-'); yet it is safe. -- Yasuo Ohgaki yohgaki@ohgaki.net