Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95229 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69396 invoked from network); 16 Aug 2016 12:08:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Aug 2016 12:08:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 67.192.241.147 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 67.192.241.147 smtp147.dfw.emailsrvr.com Received: from [67.192.241.147] ([67.192.241.147:43313] helo=smtp147.dfw.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B4/54-36656-15203B75 for ; Tue, 16 Aug 2016 08:08:50 -0400 Received: from smtp19.relay.dfw1a.emailsrvr.com (localhost [127.0.0.1]) by smtp19.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 09CDE4024F; Tue, 16 Aug 2016 08:08:47 -0400 (EDT) X-Auth-ID: fsb@thefsb.org Received: by smtp19.relay.dfw1a.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 710BF401C2; Tue, 16 Aug 2016 08:08:44 -0400 (EDT) X-Sender-Id: fsb@thefsb.org Received: from [10.0.1.2] (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12]) (using TLSv1 with cipher DES-CBC3-SHA) by 0.0.0.0:465 (trex/5.7.1); Tue, 16 Aug 2016 08:08:47 -0400 User-Agent: Microsoft-MacOutlook/14.6.6.160626 Date: Tue, 16 Aug 2016 08:08:40 -0400 To: Yasuo Ohgaki CC: "internals@lists.php.net" Message-ID: Thread-Topic: [PHP-DEV] [RFC][VOTE] Add session_create_id() function References: <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk> In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="UTF-8" Content-transfer-encoding: quoted-printable Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function From: fsb@thefsb.org (Tom Worster) On 8/15/16, 5:39 PM, "Yasuo Ohgaki" wrote: >On Tue, Aug 16, 2016 at 6:03 AM, Yasuo Ohgaki wrote: >> On Tue, Aug 16, 2016 at 5:21 AM, Tom Worster wrote: >>> On 8/14/16 4:13 PM, Yasuo Ohgaki wrote: >>> >>>> "Now assume a 128 bit session identifier that provides 64 bits of >>>> entropy. >>> >>> >>> What exactly does this mean? >> >> When you have random 128 bits value, it does not mean it has full size >>entropy. >> >> Anyway, why you insist? CSPRNG should be good enough for security >> purpose, but nobody proves CSPRNG that PHP uses are collision free. >> Session ID validation is cheap cost for serious web users. >> >> Basically you're saying =E2=80=9CWe do know it may happen, but you just had >> rare bad luck. Even though protection could be implemented, whatever >> consequences are your responsibility. It's the PHP way=E2=80=9D. That is not what I am basically saying. >> I strongly disagree with this kind of attitude. >> >> If there are users who really do not want collision detection at all, >> they should do it by their own responsibility and risk. > >Above discussion is added to the RFC. > >The default 128 bits Session ID is large enough to ignore collisions >https://wiki.php.net/rfc/session-create-id#discussions > >It describes for an application, but PHP is a platform. >There are millions PHP apps or more and there could be billions of >active sessions. There could be tens of thousands new session IDs or >more are created. Apply the calculation for expected time of possible >collision. > >Do you still sure "There will be no collisions at all"? The calculation underestimates the difficulty of finding collisions by 38 decimal orders of magnitude. The number of different SIDs in default PHP config is 2^192, not 2^64. So yes, I am still sure. Tom