Re: Re: [RFC Discussion] Precise Session Management

From:	Yasuo Ohgaki	Date:	Wed, 27 Jan 2016 01:30:13 +0000
Subject:	Re: Re: [RFC Discussion] Precise Session Management
References:	1 2 3 4 5 6 7 8 9 10	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Stas,

On Wed, Jan 27, 2016 at 10:22 AM, Stanislav Malyshev
<[email protected]> wrote:
>
>> Oops, sorry. Too many lines to reply, I misread session_id()/session_create_id()
>>
>> session_id() sets session ID. Invalid char that cannot be accepted should be
>> rejected. Otherwise, user will have lost sessions without errors.
>
> As far as I know, handlers already reject characters that are not OK
> with them. So what is missing there?

Session module/save handlers removes invalid chars silently.
This changes user defined session ID, thus session is lost without
apparent errors.

>
>> SessionHandler::create_sid() is for creating user own ID. Generating ID with
>> certain prefix.
>
> Not sure what you mean. The code here:
> https://github.com/php/php-src/blob/master/ext/session/mod_user_class.c#L175
> is clearly generating an ID. Is this not secure enough?

If php_session_create_id() which is session module function, it's
secure. Users may create whatever session IDs, though.

>
>> Currently, there is no simple way to generate session ID with the form
>> of session module generates. i.e. hash_bits_per_characters=5/6. There
>> should be an API for it.
>
> Wait, so which ID the  SessionHandler::create_sid() generates? Isn't
> that the same function? Which function you plan to use instead?

I mean there is no way to call php_session_create_id() without user
defined save handler.

Main use case of session_create_id() and session_id() would be
prefixed session like

session_id(session_create_id('MY-PREFIX-'));

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (39 messages)

• Yasuo OhgakiFri, 18 Dec 2015 22:33:10 +0000
  • Yasuo OhgakiMon, 21 Dec 2015 01:01:47 +0000Re: [RFC Discussion] Precise Session Management
    • Mike WillbanksMon, 21 Dec 2015 04:24:24 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiTue, 22 Dec 2015 05:37:12 +0000
        • Grzegorz ZdanowskiTue, 22 Dec 2015 08:42:26 +0000
          • Yasuo OhgakiTue, 22 Dec 2015 09:22:45 +0000
            • Yasuo OhgakiTue, 22 Dec 2015 23:27:09 +0000
  • Stanislav MalyshevTue, 22 Dec 2015 06:22:09 +0000
    • Yasuo OhgakiTue, 22 Dec 2015 09:11:39 +0000
  • Yasuo OhgakiTue, 05 Jan 2016 01:21:16 +0000Re: [RFC Discussion] Precise Session Management
    • Dan AckroydThu, 07 Jan 2016 15:54:16 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiFri, 08 Jan 2016 01:28:31 +0000
  • Yasuo OhgakiFri, 22 Jan 2016 01:19:36 +0000Re: [RFC Discussion] Precise Session Management
    • Yasuo OhgakiFri, 22 Jan 2016 01:32:53 +0000
      • Yasuo OhgakiTue, 26 Jan 2016 02:22:19 +0000
        • Yasuo OhgakiTue, 26 Jan 2016 07:01:55 +0000
          • Yasuo OhgakiTue, 26 Jan 2016 07:16:41 +0000
          • Yasuo OhgakiTue, 26 Jan 2016 07:37:21 +0000
          • Stanislav MalyshevTue, 26 Jan 2016 08:15:50 +0000Re: Re: [RFC Discussion] Precise Session Management
            • Yasuo OhgakiTue, 26 Jan 2016 09:29:02 +0000
              • Stanislav MalyshevWed, 27 Jan 2016 00:16:07 +0000
                • Yasuo OhgakiWed, 27 Jan 2016 01:18:20 +0000
                  • Stanislav MalyshevWed, 27 Jan 2016 01:22:45 +0000
                    • Yasuo OhgakiWed, 27 Jan 2016 01:30:13 +0000
        • Stanislav MalyshevTue, 26 Jan 2016 08:01:07 +0000Re: Re: [RFC Discussion] Precise Session Management
          • Yasuo OhgakiTue, 26 Jan 2016 10:28:13 +0000
            • Yasuo OhgakiTue, 26 Jan 2016 12:17:27 +0000
              • Dan AckroydTue, 26 Jan 2016 15:05:46 +0000
                • Yasuo OhgakiTue, 26 Jan 2016 22:14:59 +0000
              • Stanislav MalyshevTue, 26 Jan 2016 23:49:58 +0000
                • Yasuo OhgakiWed, 27 Jan 2016 00:21:58 +0000
                  • Stanislav MalyshevWed, 27 Jan 2016 01:25:57 +0000
                    • Yasuo OhgakiWed, 27 Jan 2016 02:02:10 +0000
                      • Yasuo OhgakiWed, 27 Jan 2016 02:04:46 +0000
            • Stanislav MalyshevWed, 27 Jan 2016 00:12:26 +0000
              • Yasuo OhgakiWed, 27 Jan 2016 01:07:18 +0000
  • Yasuo OhgakiSat, 30 Jan 2016 10:37:33 +0000Re: [RFC Discussion] Precise Session Management
    • Stanislav MalyshevSun, 31 Jan 2016 23:44:56 +0000Re: Re: [RFC Discussion] Precise Session Management
      • Yasuo OhgakiMon, 01 Feb 2016 02:17:48 +0000