Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95128
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 92093 invoked from network); 14 Aug 2016 01:03:43 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Aug 2016 01:03:43 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:56920] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 60/98-36656-D63CFA75 for <internals@lists.php.net>; Sat, 13 Aug 2016 21:03:42 -0400
Received: (qmail 71704 invoked by uid 89); 14 Aug 2016 01:03:38 -0000
Received: from unknown (HELO mail-qk0-f172.google.com) (yohgaki@ohgaki.net@209.85.220.172)
  by 0 with ESMTPA; 14 Aug 2016 01:03:38 -0000
Received: by mail-qk0-f172.google.com with SMTP id t7so18188640qkh.0
        for <internals@lists.php.net>; Sat, 13 Aug 2016 18:03:37 -0700 (PDT)
X-Gm-Message-State: AEkoousolB3krhRhfDYVlQWMM2MaXnRHbWSJ7WUiUHbwfOZ8PdSZeNj8I+/mnQDkQhdY6v/ssK0vLCgZDX+mgA==
X-Received: by 10.233.232.195 with SMTP id a186mr24279364qkg.18.1471136612392;
 Sat, 13 Aug 2016 18:03:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Sat, 13 Aug 2016 18:02:51 -0700 (PDT)
In-Reply-To: <72327660-e601-6c75-c14d-41785cf1ce5f@thefsb.org>
References: <CAGa2bXaZhfXbU6N0-JGVPzkkxRdkcjEhkHP+YrQNH=XFX714-Q@mail.gmail.com>
 <72327660-e601-6c75-c14d-41785cf1ce5f@thefsb.org>
Date: Sun, 14 Aug 2016 10:02:51 +0900
X-Gmail-Original-Message-ID: <CAGa2bXaVUXPvH2CSgvZwpwRtSMc+2mQUVoiomwYb30evQKBifw@mail.gmail.com>
Message-ID: <CAGa2bXaVUXPvH2CSgvZwpwRtSMc+2mQUVoiomwYb30evQKBifw@mail.gmail.com>
To: Tom Worster <fsb@thefsb.org>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [RFC][VOTE] Add session_create_id() function
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Tom,

On Sun, Aug 14, 2016 at 12:35 AM, Tom Worster <fsb@thefsb.org> wrote:
> Rather than argue the details of randomness, I have more basic comments.
>
> 1. If an app needs to access session values, it can and should do this
> without indirection through the PHP session ID table.

I don't get point. Why?

>
> 2. Users should generally let PHP choose random IDs.

I agree.

>
> 3. If PHP is to allow a user to chose its own session IDs, avoiding
> collision is should that user's responsibility.

No. I've already explained why this is difficult. Please read previous mail.
Or try to write session save handler that detects collisions with
memcached, then you'll see why.

>
> 4. Generating unique unpredictable IDs (without requiring collision
> detection) is a common problem with known and trusted solutions.

I agree. It's common because many unique ID generator do not have
centralized database to avoid collisions. In contract, session has
centralized database and it's just a matter of one lookup. (Therefore,
session module should lookup database)

Regards,

P.S. I'll add optimization that eliminates SID validation lookup for
normal operations. You don't have to worry about session performance
if I add this.


--
Yasuo Ohgaki
yohgaki@ohgaki.net