Re: [RFC Discussion] Precise Session Management

From:	Yasuo Ohgaki	Date:	Tue, 26 Jan 2016 07:37:21 +0000
Subject:	Re: [RFC Discussion] Precise Session Management
References:	1 2 3 4 5	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,

On Tue, Jan 26, 2016 at 4:01 PM, Yasuo Ohgaki <[email protected]> wrote:
> Since the function only allows chars used by ID, I would like to add "_" a
> valid char. "_" should be very safe char.

I think about possible attack/misuse scenario a little more and come
up with following.

"_" is wild card char of SQL's LIKE query. Although, it should be rare to use
session ID string for LIKE query, one may do

SELECT * FROM my_sess_table WHERE sess_id LIKE '$id';
where $id is '______________________'.

This may allow to fetch all session IDs in DB. Users will likely write
such query with prefixed session ID, so I don't think allowing "_" is
not good idea after all. I'll keep as it is now, but if you have good
option. Please let me know.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (39 messages)

• Yasuo OhgakiFri, 18 Dec 2015 22:33:10 +0000
  • Yasuo OhgakiMon, 21 Dec 2015 01:01:47 +0000Re: [RFC Discussion] Precise Session Management
    • Mike WillbanksMon, 21 Dec 2015 04:24:24 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiTue, 22 Dec 2015 05:37:12 +0000
        • Grzegorz ZdanowskiTue, 22 Dec 2015 08:42:26 +0000
          • Yasuo OhgakiTue, 22 Dec 2015 09:22:45 +0000
            • Yasuo OhgakiTue, 22 Dec 2015 23:27:09 +0000
  • Stanislav MalyshevTue, 22 Dec 2015 06:22:09 +0000
    • Yasuo OhgakiTue, 22 Dec 2015 09:11:39 +0000
  • Yasuo OhgakiTue, 05 Jan 2016 01:21:16 +0000Re: [RFC Discussion] Precise Session Management
    • Dan AckroydThu, 07 Jan 2016 15:54:16 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiFri, 08 Jan 2016 01:28:31 +0000
  • Yasuo OhgakiFri, 22 Jan 2016 01:19:36 +0000Re: [RFC Discussion] Precise Session Management
    • Yasuo OhgakiFri, 22 Jan 2016 01:32:53 +0000
      • Yasuo OhgakiTue, 26 Jan 2016 02:22:19 +0000
        • Yasuo OhgakiTue, 26 Jan 2016 07:01:55 +0000
          • Yasuo OhgakiTue, 26 Jan 2016 07:16:41 +0000
          • Yasuo OhgakiTue, 26 Jan 2016 07:37:21 +0000
          • Stanislav MalyshevTue, 26 Jan 2016 08:15:50 +0000Re: Re: [RFC Discussion] Precise Session Management
            • Yasuo OhgakiTue, 26 Jan 2016 09:29:02 +0000
              • Stanislav MalyshevWed, 27 Jan 2016 00:16:07 +0000
                • Yasuo OhgakiWed, 27 Jan 2016 01:18:20 +0000
                  • Stanislav MalyshevWed, 27 Jan 2016 01:22:45 +0000
                    • Yasuo OhgakiWed, 27 Jan 2016 01:30:13 +0000
        • Stanislav MalyshevTue, 26 Jan 2016 08:01:07 +0000Re: Re: [RFC Discussion] Precise Session Management
          • Yasuo OhgakiTue, 26 Jan 2016 10:28:13 +0000
            • Yasuo OhgakiTue, 26 Jan 2016 12:17:27 +0000
              • Dan AckroydTue, 26 Jan 2016 15:05:46 +0000
                • Yasuo OhgakiTue, 26 Jan 2016 22:14:59 +0000
              • Stanislav MalyshevTue, 26 Jan 2016 23:49:58 +0000
                • Yasuo OhgakiWed, 27 Jan 2016 00:21:58 +0000
                  • Stanislav MalyshevWed, 27 Jan 2016 01:25:57 +0000
                    • Yasuo OhgakiWed, 27 Jan 2016 02:02:10 +0000
                      • Yasuo OhgakiWed, 27 Jan 2016 02:04:46 +0000
            • Stanislav MalyshevWed, 27 Jan 2016 00:12:26 +0000
              • Yasuo OhgakiWed, 27 Jan 2016 01:07:18 +0000
  • Yasuo OhgakiSat, 30 Jan 2016 10:37:33 +0000Re: [RFC Discussion] Precise Session Management
    • Stanislav MalyshevSun, 31 Jan 2016 23:44:56 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiMon, 01 Feb 2016 02:17:48 +0000