Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95130
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 13178 invoked from network); 14 Aug 2016 08:35:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Aug 2016 08:35:32 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.230 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.230 mail4-3.serversure.net Linux 2.6
Received: from [217.147.176.230] ([217.147.176.230:54994] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 09/8A-36656-15D20B75 for <internals@lists.php.net>; Sun, 14 Aug 2016 04:35:31 -0400
Received: (qmail 30534 invoked by uid 89); 14 Aug 2016 08:35:26 -0000
Received: by simscan 1.3.1 ppid: 30528, pid: 30531, t: 0.0626s
         scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677
Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 14 Aug 2016 08:35:26 -0000
To: internals@lists.php.net
References: <CAGa2bXaZhfXbU6N0-JGVPzkkxRdkcjEhkHP+YrQNH=XFX714-Q@mail.gmail.com>
 <CAPwsocFAMofROQE-OBfNiR4yrKKSss_owu0svu+Db66DmRbShw@mail.gmail.com>
 <CAGa2bXaxRA91q+ev-X3okKpNC=s3XEwC9deUYikTaUQPfOE-JQ@mail.gmail.com>
 <cc719c6c-598d-b103-96bf-eb3714a61365@thefsb.org>
 <CAGa2bXYNExeQLug=co8G1g+fdy6BXK9UbeyGkjss5s62R00Fdg@mail.gmail.com>
 <D3D49F41.70F4A%fsb@thefsb.org>
 <CAGa2bXYa-6gpyUH_yXwoob8aZA_UVjuRfzbrMxfdUp7j5jk8EQ@mail.gmail.com>
Message-ID: <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk>
Date: Sun, 14 Aug 2016 09:35:26 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2
MIME-Version: 1.0
In-Reply-To: <CAGa2bXYa-6gpyUH_yXwoob8aZA_UVjuRfzbrMxfdUp7j5jk8EQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function
From: lester@lsces.co.uk (Lester Caine)

On 14/08/16 01:56, Yasuo Ohgaki wrote:
> IMO. PHP should be easiest, yet secure, Web application programming language.
> I don't see any benefits, but only drawbacks, forcing users "to know session
> management details to write secure code" while it is very easy to implement
> tham in Session module.

Sessions are something I rely on, but have thrown numerous problems over
the years. In my systems they should exist for the duration of a client
being logged into the system and so any problems either end have to be
handled. For that reason I store them in the database so when a client
has to log in again we can clear their last activity and start a new
one. The clients can be carrying out interviews for an hour or more, so
previous 'improvements' that try to clear 'inactive sessions' often lost
MY sort of sessions. Clients are only allowed to log on once so I need
to pick up if they try and start a second session, but I don't believe I
NEED all the complexity of cryptography secure id's? Just ones where I
CAN actually identify the client ... or should I be handling that
separate from the actual session_id ?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk