Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95118
Return-Path: <fsb@thefsb.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54151 invoked from network); 13 Aug 2016 15:35:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Aug 2016 15:35:48 -0000
Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 173.203.187.115 as permitted sender)
X-PHP-List-Original-Sender: fsb@thefsb.org
X-Host-Fingerprint: 173.203.187.115 smtp115.iad3a.emailsrvr.com  
Received: from [173.203.187.115] ([173.203.187.115:59356] helo=smtp115.iad3a.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EF/C2-36656-45E3FA75 for <internals@lists.php.net>; Sat, 13 Aug 2016 11:35:48 -0400
Received: from smtp31.relay.iad3a.emailsrvr.com (localhost [127.0.0.1])
	by smtp31.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 10D19A0153;
	Sat, 13 Aug 2016 11:35:46 -0400 (EDT)
X-Auth-ID: fsb@thefsb.org
Received: by smtp31.relay.iad3a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id EB3F2A0106;
	Sat, 13 Aug 2016 11:35:45 -0400 (EDT)
X-Sender-Id: fsb@thefsb.org
Received: from yossy.local (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA)
	by 0.0.0.0:587 (trex/5.7.1);
	Sat, 13 Aug 2016 11:35:46 -0400
To: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXaZhfXbU6N0-JGVPzkkxRdkcjEhkHP+YrQNH=XFX714-Q@mail.gmail.com>
Message-ID: <72327660-e601-6c75-c14d-41785cf1ce5f@thefsb.org>
Date: Sat, 13 Aug 2016 11:35:39 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)
 Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXaZhfXbU6N0-JGVPzkkxRdkcjEhkHP+YrQNH=XFX714-Q@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [RFC][VOTE] Add session_create_id() function
From: fsb@thefsb.org (Tom Worster)

On 8/10/16 5:14 AM, Yasuo Ohgaki wrote:
> Hi all,
>
> This is RFC for adding session_create_id() function.
>
> Session ID string uses special binary to string conversion. Users
> should write lengthy and slow code to have the same session ID string
> as session module does. It also validates and makes sure generated
> session ID string has no collision. (This cannot be done easily by
> user script and 3rd party C written save handlers)

Rather than argue the details of randomness, I have more basic comments.

1. If an app needs to access session values, it can and should do this 
without indirection through the PHP session ID table.

2. Users should generally let PHP choose random IDs.

3. If PHP is to allow a user to chose its own session IDs, avoiding 
collision is should that user's responsibility.

4. Generating unique unpredictable IDs (without requiring collision 
detection) is a common problem with known and trusted solutions.

Tom