Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95211 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 10648 invoked from network); 15 Aug 2016 21:04:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Aug 2016 21:04:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:59718] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 93/1C-36656-C6E22B75 for ; Mon, 15 Aug 2016 17:04:46 -0400 Received: (qmail 61884 invoked by uid 89); 15 Aug 2016 21:04:41 -0000 Received: from unknown (HELO mail-qk0-f176.google.com) (yohgaki@ohgaki.net@209.85.220.176) by 0 with ESMTPA; 15 Aug 2016 21:04:41 -0000 Received: by mail-qk0-f176.google.com with SMTP id f123so53827066qkd.1 for ; Mon, 15 Aug 2016 14:04:40 -0700 (PDT) X-Gm-Message-State: AEkoouvYRQ/o33EkcxLp2Eve8lt7h02hTx7wTOQYg49GzfowxWmxXfWqe7tq5VYd/3J/1lTRp1oj3w0DoLWOaA== X-Received: by 10.55.76.17 with SMTP id z17mr33627168qka.96.1471295075172; Mon, 15 Aug 2016 14:04:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.242 with HTTP; Mon, 15 Aug 2016 14:03:54 -0700 (PDT) In-Reply-To: References: <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk> Date: Tue, 16 Aug 2016 06:03:54 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Tom Worster Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function From: yohgaki@ohgaki.net (Yasuo Ohgaki) On Tue, Aug 16, 2016 at 5:21 AM, Tom Worster wrote: > On 8/14/16 4:13 PM, Yasuo Ohgaki wrote: > >> "Now assume a 128 bit session identifier that provides 64 bits of >> entropy. > > > What exactly does this mean? When you have random 128 bits value, it does not mean it has full size entr= opy. Anyway, why you insist? CSPRNG should be good enough for security purpose, but nobody proves CSPRNG that PHP uses are collision free. Session ID validation is cheap cost for serious web users. Basically you're saying =E2=80=9CWe do know it may happen, but you just had rare bad luck. Even though protection could be implemented, whatever consequences are your responsibility. It's the PHP way=E2=80=9D. I strongly disagree with this kind of attitude. If there are users who really do not want collision detection at all, they should do it by their own responsibility and risk. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net