Hi all, I would like to refactor session id generation to use our new php_random_bytes API as the single entropy source for session ids, targeting 7.1
Overall this would give a small performance increase to session generation, a large security increase to session generation, and remove some points of possible user error. There are a few things to consider while doing this: session.entropy_file will no longer needed, as the best source of random for the operating system will be selected. session.entropy_length should be ignored, as this was to specify the length of *additional* entropy, and may be non-zero in legacy configuration files, that are preserved across upgrades session.hash_function should be deprecated, there is no benefit to hashing cryptographically strong random bytes, however people may be relying on this to get session ids of a certain length. We will have to introduce a new setting to control session id length, perhaps overridden if session.hash_function is non-default. We have a year to play with the details. I'd like to hear if there are any strong objections to this proposal. Cheers, Leigh.
