Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95328 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61045 invoked from network); 19 Aug 2016 19:40:24 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Aug 2016 19:40:24 -0000 Authentication-Results: pb1.pair.com header.from=fsb@thefsb.org; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=fsb@thefsb.org; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thefsb.org designates 108.166.43.99 as permitted sender) X-PHP-List-Original-Sender: fsb@thefsb.org X-Host-Fingerprint: 108.166.43.99 smtp99.ord1c.emailsrvr.com Received: from [108.166.43.99] ([108.166.43.99:34485] helo=smtp99.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 99/B6-17996-6A067B75 for ; Fri, 19 Aug 2016 15:40:23 -0400 Received: from smtp5.relay.ord1c.emailsrvr.com (localhost [127.0.0.1]) by smtp5.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id C667440244; Fri, 19 Aug 2016 15:40:20 -0400 (EDT) X-Auth-ID: fsb@thefsb.org Received: by smtp5.relay.ord1c.emailsrvr.com (Authenticated sender: fsb-AT-thefsb.org) with ESMTPSA id 9643440138; Fri, 19 Aug 2016 15:40:20 -0400 (EDT) X-Sender-Id: fsb@thefsb.org Received: from yossy.local (c-66-30-62-12.hsd1.ma.comcast.net [66.30.62.12]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA) by 0.0.0.0:587 (trex/5.7.1); Fri, 19 Aug 2016 15:40:20 -0400 To: Lester Caine , internals@lists.php.net References: <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk> Message-ID: <9a3a8cb3-a3ad-b4ec-e88c-b610abe32c7f@thefsb.org> Date: Fri, 19 Aug 2016 15:40:13 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function From: fsb@thefsb.org (Tom Worster) On 8/16/16 10:51 AM, Lester Caine wrote: > On 16/08/16 13:08, Tom Worster wrote: >>>> The default 128 bits Session ID is large enough to ignore collisions >>>> https://wiki.php.net/rfc/session-create-id#discussions >>>> >>>> It describes for an application, but PHP is a platform. >>>> There are millions PHP apps or more and there could be billions of >>>> active sessions. There could be tens of thousands new session IDs or >>>> more are created. Apply the calculation for expected time of possible >>>> collision. >>>> >>>> Do you still sure "There will be no collisions at all"? >> The calculation underestimates the difficulty of finding collisions by 38 >> decimal orders of magnitude. The number of different SIDs in default PHP >> config is 2^192, not 2^64. So yes, I am still sure. > > In a distributed system which would be required to handle millions of > sessions at the same time, then one will have thousands of copies of PHP > running and shared via some sort of traffic manager. So unless some sort > of mechanism is included to provide identification of the PHP instance > then it is probable that different instances will all produce the same > sequence of numbers. A UUID generator provided to ensure every > distributed service has a uniquely identifiable id for every 'session' > is not something that forms part of a single instance of PHP. It must be > centrally managed with a central session store. All that a single > instance of PHP should be worrying about is a few hundred active sessions? (I think you could use a hash for this. But that's beside the point because...) I have no problem with session_create_id(). I have a problem with saying that CSPRNG is so untrustworthy that users must find ways to compensate for its faults in their code. And I have a problem with a statement to this effect being in the RFC. And with that statement obscuring the crux of the argument with misleading math about an SID database. Tom