Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95051
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63908 invoked from network); 11 Aug 2016 22:59:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Aug 2016 22:59:35 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:53333] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B0/D0-56950-4530DA75 for <internals@lists.php.net>; Thu, 11 Aug 2016 18:59:34 -0400
Received: (qmail 60396 invoked by uid 89); 11 Aug 2016 22:59:29 -0000
Received: from unknown (HELO mail-qk0-f180.google.com) (yohgaki@ohgaki.net@209.85.220.180)
  by 0 with ESMTPA; 11 Aug 2016 22:59:29 -0000
Received: by mail-qk0-f180.google.com with SMTP id t7so10705470qkh.0
        for <internals@lists.php.net>; Thu, 11 Aug 2016 15:59:29 -0700 (PDT)
X-Gm-Message-State: AEkoousUyC9PQhmDGXVZLeefL1VYeQMm4gt5t9RBPREqD7kJRJz1JWmX1DBZaLcp8Y3Yh8smMveBPe/rFSWLVw==
X-Received: by 10.55.107.130 with SMTP id g124mr13525693qkc.61.1470956363544;
 Thu, 11 Aug 2016 15:59:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Thu, 11 Aug 2016 15:58:43 -0700 (PDT)
In-Reply-To: <CAPwsocFAMofROQE-OBfNiR4yrKKSss_owu0svu+Db66DmRbShw@mail.gmail.com>
References: <CAGa2bXaZhfXbU6N0-JGVPzkkxRdkcjEhkHP+YrQNH=XFX714-Q@mail.gmail.com>
 <CAPwsocFAMofROQE-OBfNiR4yrKKSss_owu0svu+Db66DmRbShw@mail.gmail.com>
Date: Fri, 12 Aug 2016 07:58:43 +0900
X-Gmail-Original-Message-ID: <CAGa2bXaxRA91q+ev-X3okKpNC=s3XEwC9deUYikTaUQPfOE-JQ@mail.gmail.com>
Message-ID: <CAGa2bXaxRA91q+ev-X3okKpNC=s3XEwC9deUYikTaUQPfOE-JQ@mail.gmail.com>
To: Leigh <leight@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Leigh,

On Fri, Aug 12, 2016 at 3:25 AM, Leigh <leight@gmail.com> wrote:
> On Wed, 10 Aug 2016 at 10:15 Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>>
>> Hi all,
>>
>> This is RFC for adding session_create_id() function.
>>
>> Session ID string uses special binary to string conversion. Users
>> should write lengthy and slow code to have the same session ID string
>> as session module does.
>
>
> I disagree, this pretty much covers it:
>
> function session_create_id()
> {
> $encoded = base64_encode(random_bytes(random_bytes(32)));
> // Use same charset as PHP
> return rtrim(strtr($encoded, '+/', ',-'), '=');
> }

Thank you for insight!

You've missed to set SID to proper length and SID validation.

function session_create_id(string $prefix)
{
    $encoded = base64_encode(ini_get('session.sid_length')*2);
    // Use same charset as PHP
    $sid = substr(rtrim(strtr($encoded, '+/', ',-'), '='), 0,
                          ini_get('session.sid_length');

    $sid .= $prefix;

    // Now validate SID so that it does not have collisions
    when session is active, connect to database and validate SID
      try to fetch sid
        if sid is not there
          try again to generate SID few times
      if SID validation failed
         fatal error
      return safe SID
   when session is inactive
      return unvalidated SID
}

This is what proposed session_create_id() does.
I used pseudo, but it should be easy to imagine it would be lengthy code.

IMHO, mandatory API should be in PHP even if it's easy to implement
and basic API should be in PHP unless it is too easy to be implemented
userland.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net