[RFC][VOTE] Session ID without hashing - Vote reopened and restarted

9 years ago by Yasuo Ohgaki — view source — reply

unread

Hi all,

Due to defects in the RFC, vote is reopened and restarted.
Followings are changes from 1st vote.

Removed session.use_strict_mode change
(Changed when vote reopened)
Added INI default vote options, incompatible and compatible.
(Changed when 2nd vote is restarted)
Extended vote period for 2 days.

These who are voted already have to VOTE AGAIN.
Sorry for the inconvenience and confusion!

============

Currently session module uses obsolete MD5 for session ID. With
CSPRNG, hashing is redundant and needless. It adds hash module
dependency and inefficient.

This proposal cleans up session code by removing hash.

https://wiki.php.net/rfc/session-id-without-hashing

I set vote requires 2/3 support.
Please describe the reason why when you against this RFC. Reasons are
important for improvements!

Vote ends 2016/08/02 23:59:59 UTC.

Thank you for voting!

--
Yasuo Ohgaki
yohgaki@ohgaki.net

9 years ago by Yasuo Ohgaki — view source — reply

unread

Hi all,

Session ID without hashing
https://wiki.php.net/rfc/session-id-without-hashing#vote

This RFC is passed 9 vs 0.
Compatible default is used as default. 7 vs 3.

It needs to update the default INI. I'll finish it in a few days.

Thank you for voting!

Yasuo Ohgaki
yohgaki@ohgaki.net

Hi all,

Due to defects in the RFC, vote is reopened and restarted.
Followings are changes from 1st vote.

Removed session.use_strict_mode change
(Changed when vote reopened)

Added INI default vote options, incompatible and compatible.
(Changed when 2nd vote is restarted)

Extended vote period for 2 days.

These who are voted already have to VOTE AGAIN.
Sorry for the inconvenience and confusion!

============

Currently session module uses obsolete MD5 for session ID. With
CSPRNG, hashing is redundant and needless. It adds hash module
dependency and inefficient.

This proposal cleans up session code by removing hash.

https://wiki.php.net/rfc/session-id-without-hashing

I set vote requires 2/3 support.
Please describe the reason why when you against this RFC. Reasons are
important for improvements!

Vote ends 2016/08/02 23:59:59 UTC.

Thank you for voting!

--
Yasuo Ohgaki
yohgaki@ohgaki.net

9 years ago by Davey Shafik — view source — reply

unread

Hey Yasuo,

Unfortunately this missed beta2 (tagged yesterday), I'll confirm with Joe
about putting it in for 7.1beta3.

Thanks for those last minute changes, I'm much happier with this result! :)

Davey

Hi all,

Session ID without hashing
https://wiki.php.net/rfc/session-id-without-hashing#vote

This RFC is passed 9 vs 0.
Compatible default is used as default. 7 vs 3.

It needs to update the default INI. I'll finish it in a few days.

Thank you for voting!

Yasuo Ohgaki
yohgaki@ohgaki.net

Hi all,

Due to defects in the RFC, vote is reopened and restarted.
Followings are changes from 1st vote.

Removed session.use_strict_mode change
(Changed when vote reopened)

Added INI default vote options, incompatible and compatible.
(Changed when 2nd vote is restarted)

Extended vote period for 2 days.

These who are voted already have to VOTE AGAIN.
Sorry for the inconvenience and confusion!

============

Currently session module uses obsolete MD5 for session ID. With
CSPRNG, hashing is redundant and needless. It adds hash module
dependency and inefficient.

This proposal cleans up session code by removing hash.

https://wiki.php.net/rfc/session-id-without-hashing

I set vote requires 2/3 support.
Please describe the reason why when you against this RFC. Reasons are
important for improvements!

Vote ends 2016/08/02 23:59:59 UTC.

Thank you for voting!

--
Yasuo Ohgaki
yohgaki@ohgaki.net

9 years ago by Yasuo Ohgaki — view source — reply

unread

Hi all and Davey,

Unfortunately this missed beta2 (tagged yesterday), I'll confirm with Joe
about putting it in for 7.1beta3.

Thanks for those last minute changes, I'm much happier with this result! :)

I just realized, php.ini-development/production uses

session.hash_func=0
session.hash_bits_per_character=5 (Compiled default is 4)

The session ID will be ^[0-9a-v]{26}$ (length=26 chars)

So I'll modify php.ini-* default to
session.sid_length=26
session.sid_bit_per_character=5

This matches the current default session ID format used widely. Sorry
for the confusions, but compatible should mean compatible with current
default.

Regards,

P.S. Davery, should I push the patch to 7.1 and master branch, or you will?
I don't mind pasting the patch for 7.1 branch to gist.

--
Yasuo Ohgaki
yohgaki@ohgaki.net

9 years ago by Christoph M. Becker — view source — reply

unread

Hi Yasuo!

Due to defects in the RFC, vote is reopened and restarted.
Followings are changes from 1st vote.

[…]

Vote ends 2016/08/02 23:59:59 UTC.

I've just noticed that the voting is still open, although it's already
2016-08-08. Shouldn't it be closed?

--
Christoph M. Becker

9 years ago by Yasuo Ohgaki — view source — reply

unread

Hi Christoph,

I've just noticed that the voting is still open, although it's already
2016-08-08. Shouldn't it be closed?

Thank you!
Closed.

--
Yasuo Ohgaki
yohgaki@ohgaki.net