Re: Re: [RFC Discussion] Precise Session Management

From:	Stanislav Malyshev	Date:	Wed, 27 Jan 2016 00:16:07 +0000
Subject:	Re: Re: [RFC Discussion] Precise Session Management
References:	1 2 3 4 5 6 7	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi!

>> About, since session_id() is a user function, what do we gain by
>> limiting what it does?
> 
> Prefix is a part of session ID and it should have the same requirement
> as session ID for security reasons.

I'm not sure why you're talking about prefix. I thought that the issue
was that user can supply session_id() with the ID that is not good for
some reason and you want to filter it on session_id level. Am I wrong?

> There is SessionHandler::create_sid(), but there isn't a function that
> creates secure session ID.

Why not? The ID created now is not secure? Why? I see it uses
php_session_create_id(), do you mean this function is insecure too? Why?
In any case, if you think it is insecure, why not fix it?
-- 
Stas Malyshev
[email protected]


   

Thread (39 messages)

• Yasuo OhgakiFri, 18 Dec 2015 22:33:10 +0000
  • Yasuo OhgakiMon, 21 Dec 2015 01:01:47 +0000Re: [RFC Discussion] Precise Session Management
    • Mike WillbanksMon, 21 Dec 2015 04:24:24 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiTue, 22 Dec 2015 05:37:12 +0000
        • Grzegorz ZdanowskiTue, 22 Dec 2015 08:42:26 +0000
          • Yasuo OhgakiTue, 22 Dec 2015 09:22:45 +0000
            • Yasuo OhgakiTue, 22 Dec 2015 23:27:09 +0000
  • Stanislav MalyshevTue, 22 Dec 2015 06:22:09 +0000
    • Yasuo OhgakiTue, 22 Dec 2015 09:11:39 +0000
  • Yasuo OhgakiTue, 05 Jan 2016 01:21:16 +0000Re: [RFC Discussion] Precise Session Management
    • Dan AckroydThu, 07 Jan 2016 15:54:16 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiFri, 08 Jan 2016 01:28:31 +0000
  • Yasuo OhgakiFri, 22 Jan 2016 01:19:36 +0000Re: [RFC Discussion] Precise Session Management
    • Yasuo OhgakiFri, 22 Jan 2016 01:32:53 +0000
      • Yasuo OhgakiTue, 26 Jan 2016 02:22:19 +0000
        • Yasuo OhgakiTue, 26 Jan 2016 07:01:55 +0000
          • Yasuo OhgakiTue, 26 Jan 2016 07:16:41 +0000
          • Yasuo OhgakiTue, 26 Jan 2016 07:37:21 +0000
          • Stanislav MalyshevTue, 26 Jan 2016 08:15:50 +0000Re: Re: [RFC Discussion] Precise Session Management
            • Yasuo OhgakiTue, 26 Jan 2016 09:29:02 +0000
              • Stanislav MalyshevWed, 27 Jan 2016 00:16:07 +0000
                • Yasuo OhgakiWed, 27 Jan 2016 01:18:20 +0000
                  • Stanislav MalyshevWed, 27 Jan 2016 01:22:45 +0000
                    • Yasuo OhgakiWed, 27 Jan 2016 01:30:13 +0000
        • Stanislav MalyshevTue, 26 Jan 2016 08:01:07 +0000Re: Re: [RFC Discussion] Precise Session Management
          • Yasuo OhgakiTue, 26 Jan 2016 10:28:13 +0000
            • Yasuo OhgakiTue, 26 Jan 2016 12:17:27 +0000
              • Dan AckroydTue, 26 Jan 2016 15:05:46 +0000
                • Yasuo OhgakiTue, 26 Jan 2016 22:14:59 +0000
              • Stanislav MalyshevTue, 26 Jan 2016 23:49:58 +0000
                • Yasuo OhgakiWed, 27 Jan 2016 00:21:58 +0000
                  • Stanislav MalyshevWed, 27 Jan 2016 01:25:57 +0000
                    • Yasuo OhgakiWed, 27 Jan 2016 02:02:10 +0000
                      • Yasuo OhgakiWed, 27 Jan 2016 02:04:46 +0000
            • Stanislav MalyshevWed, 27 Jan 2016 00:12:26 +0000
              • Yasuo OhgakiWed, 27 Jan 2016 01:07:18 +0000
  • Yasuo OhgakiSat, 30 Jan 2016 10:37:33 +0000Re: [RFC Discussion] Precise Session Management
    • Stanislav MalyshevSun, 31 Jan 2016 23:44:56 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiMon, 01 Feb 2016 02:17:48 +0000