Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95214 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 16830 invoked from network); 15 Aug 2016 21:40:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Aug 2016 21:40:13 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:59788] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 94/3D-36656-BB632B75 for ; Mon, 15 Aug 2016 17:40:12 -0400 Received: (qmail 63574 invoked by uid 89); 15 Aug 2016 21:40:07 -0000 Received: from unknown (HELO mail-qt0-f172.google.com) (yohgaki@ohgaki.net@209.85.216.172) by 0 with ESMTPA; 15 Aug 2016 21:40:07 -0000 Received: by mail-qt0-f172.google.com with SMTP id x25so27032358qtx.2 for ; Mon, 15 Aug 2016 14:40:07 -0700 (PDT) X-Gm-Message-State: AEkoouupidXkrxts/+7I7VQHB/xzdioTOgWC4hZijfImxyZIsYRjkwyYj7M5nvkiDXn8DF5GdnmdHDwm9QdTew== X-Received: by 10.200.33.183 with SMTP id 52mr35448599qty.128.1471297201437; Mon, 15 Aug 2016 14:40:01 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.242 with HTTP; Mon, 15 Aug 2016 14:39:20 -0700 (PDT) In-Reply-To: References: <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk> Date: Tue, 16 Aug 2016 06:39:20 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Tom Worster Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function From: yohgaki@ohgaki.net (Yasuo Ohgaki) On Tue, Aug 16, 2016 at 6:03 AM, Yasuo Ohgaki wrote: > On Tue, Aug 16, 2016 at 5:21 AM, Tom Worster wrote: >> On 8/14/16 4:13 PM, Yasuo Ohgaki wrote: >> >>> "Now assume a 128 bit session identifier that provides 64 bits of >>> entropy. >> >> >> What exactly does this mean? > > When you have random 128 bits value, it does not mean it has full size en= tropy. > > Anyway, why you insist? CSPRNG should be good enough for security > purpose, but nobody proves CSPRNG that PHP uses are collision free. > Session ID validation is cheap cost for serious web users. > > Basically you're saying =E2=80=9CWe do know it may happen, but you just h= ad > rare bad luck. Even though protection could be implemented, whatever > consequences are your responsibility. It's the PHP way=E2=80=9D. > I strongly disagree with this kind of attitude. > > If there are users who really do not want collision detection at all, > they should do it by their own responsibility and risk. Above discussion is added to the RFC. The default 128 bits Session ID is large enough to ignore collisions https://wiki.php.net/rfc/session-create-id#discussions It describes for an application, but PHP is a platform. There are millions PHP apps or more and there could be billions of active sessions. There could be tens of thousands new session IDs or more are created. Apply the calculation for expected time of possible collision. Do you still sure "There will be no collisions at all"? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net