Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95061
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 96764 invoked from network); 12 Aug 2016 08:24:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Aug 2016 08:24:45 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:54035] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 9A/55-56950-AC78DA75 for <internals@lists.php.net>; Fri, 12 Aug 2016 04:24:44 -0400
Received: (qmail 89915 invoked by uid 89); 12 Aug 2016 08:24:39 -0000
Received: from unknown (HELO mail-qk0-f180.google.com) (yohgaki@ohgaki.net@209.85.220.180)
  by 0 with ESMTPA; 12 Aug 2016 08:24:39 -0000
Received: by mail-qk0-f180.google.com with SMTP id f123so2899546qkd.1
        for <internals@lists.php.net>; Fri, 12 Aug 2016 01:24:39 -0700 (PDT)
X-Gm-Message-State: AEkoouur3cPeFF5jfFN54JzgHHibzssI9icir8GtjH82pBTuvyqCQbrK49WeAM6I+Sl8HDAc1pU5wsciJ4YR1A==
X-Received: by 10.55.76.17 with SMTP id z17mr15306872qka.96.1470990273533;
 Fri, 12 Aug 2016 01:24:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Fri, 12 Aug 2016 01:23:53 -0700 (PDT)
In-Reply-To: <5b7b5d2c-e865-9ec9-f549-3ab693af39e6@lsces.co.uk>
References: <CAGa2bXaZhfXbU6N0-JGVPzkkxRdkcjEhkHP+YrQNH=XFX714-Q@mail.gmail.com>
 <CAPwsocFAMofROQE-OBfNiR4yrKKSss_owu0svu+Db66DmRbShw@mail.gmail.com>
 <CAGa2bXaxRA91q+ev-X3okKpNC=s3XEwC9deUYikTaUQPfOE-JQ@mail.gmail.com>
 <CAGa2bXYZk5S7H_UPe6mkuNCp-WMygqXVzVLZoLtzc_k+3mgoAw@mail.gmail.com>
 <CAGa2bXZv+U7SFgJAt-qKxqRtvUiozZfayJrTL_5gVkeGNUc6tQ@mail.gmail.com> <5b7b5d2c-e865-9ec9-f549-3ab693af39e6@lsces.co.uk>
Date: Fri, 12 Aug 2016 17:23:53 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZ5KJtqobwJqSmeANQv+A-dZVSmUYe3sSnEAgHd9Sp1CA@mail.gmail.com>
Message-ID: <CAGa2bXZ5KJtqobwJqSmeANQv+A-dZVSmUYe3sSnEAgHd9Sp1CA@mail.gmail.com>
To: Lester Caine <lester@lsces.co.uk>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Lester,

On Fri, Aug 12, 2016 at 5:01 PM, Lester Caine <lester@lsces.co.uk> wrote:
> On 12/08/16 00:20, Yasuo Ohgaki wrote:
>> I've missed to handle session.hash_bits_per_character here. There are
>> people validating SID (used chars and length) via WAF or PHP code.
>> session.hash_bits_per_character handling is mandatory for such system.
>
> Since 'id' is a variable, isn't this just a specialist constraint
> applied to that variable ;) The various new hash rules follow the same
> pattern. Add a domain of 'session_id' to the variable and that selects
> all the right rules to handle it ... yes specialist code generating a
> special variable may be more efficient, but if the framework is right
> than one can simply adjust the rules on a generic variable to cater for
> your own requirements?

I don't think it's framework job to do.

See "User land session_create_id() is easy" section.
https://wiki.php.net/rfc/session-create-id#discussions

It's not easy nor task for frameworks.

If framework would like to write session_create_id() "properly",
framework must access session storage database. Let's say storage is
memcached, then framework must open memcached connection by itself and
perform session ID validation. Let's say storage is PostgreSQL, then
framework must open... the same for every other C written session save
handler.

Clearly, it's not a task for framework, but session module.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net