Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95053
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67003 invoked from network); 11 Aug 2016 23:07:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Aug 2016 23:07:59 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:53345] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5A/71-56950-C450DA75 for <internals@lists.php.net>; Thu, 11 Aug 2016 19:07:58 -0400
Received: (qmail 60796 invoked by uid 89); 11 Aug 2016 23:07:52 -0000
Received: from unknown (HELO mail-qk0-f179.google.com) (yohgaki@ohgaki.net@209.85.220.179)
  by 0 with ESMTPA; 11 Aug 2016 23:07:52 -0000
Received: by mail-qk0-f179.google.com with SMTP id l2so10544269qkf.3
        for <internals@lists.php.net>; Thu, 11 Aug 2016 16:07:51 -0700 (PDT)
X-Gm-Message-State: AEkoouvMRR9Dhp20cBT2Sdf+f9l0m0LdpfhH3ehtE61GKnTjpoWZ8T2Yu3EUPzVc2nvNyXQQW4zHSF/lBVzM2w==
X-Received: by 10.55.107.130 with SMTP id g124mr13566022qkc.61.1470956866274;
 Thu, 11 Aug 2016 16:07:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Thu, 11 Aug 2016 16:07:05 -0700 (PDT)
In-Reply-To: <CAGa2bXaxRA91q+ev-X3okKpNC=s3XEwC9deUYikTaUQPfOE-JQ@mail.gmail.com>
References: <CAGa2bXaZhfXbU6N0-JGVPzkkxRdkcjEhkHP+YrQNH=XFX714-Q@mail.gmail.com>
 <CAPwsocFAMofROQE-OBfNiR4yrKKSss_owu0svu+Db66DmRbShw@mail.gmail.com> <CAGa2bXaxRA91q+ev-X3okKpNC=s3XEwC9deUYikTaUQPfOE-JQ@mail.gmail.com>
Date: Fri, 12 Aug 2016 08:07:05 +0900
X-Gmail-Original-Message-ID: <CAGa2bXYZk5S7H_UPe6mkuNCp-WMygqXVzVLZoLtzc_k+3mgoAw@mail.gmail.com>
Message-ID: <CAGa2bXYZk5S7H_UPe6mkuNCp-WMygqXVzVLZoLtzc_k+3mgoAw@mail.gmail.com>
To: Leigh <leight@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Leigh,

One more additional info.

On Fri, Aug 12, 2016 at 7:58 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> IMHO, mandatory API should be in PHP even if it's easy to implement
> and basic API should be in PHP unless it is too easy to be implemented
> userland.

Session SID validation function should be mandatory for user defined
save handlers. Unless we have ready to use session_create_id(), they
have to implement by themselves. Requiring something like

function session_create_id(string $prefix)
{
    $encoded = base64_encode(ini_get('session.sid_length')*2);
    // Use same charset as PHP
    $sid = substr(rtrim(strtr($encoded, '+/', ',-'), '='), 0,
                          ini_get('session.sid_length');

    $sid .= $prefix;

    // Now validate SID so that it does not have collisions
    when session is active, connect to database and validate SID
      try to fetch sid
        if sid is there
          try again to generate SID few times
      if SID validation failed
         fatal error
      return safe SID
   when session is inactive
      return unvalidated SID
}

is not good API design, IMHO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net