Hi Julien, On Thu, Jan 14, 2016 at 7:21 PM, Julien Pauli <jpa...@php.net> wrote: > On Wed, Jan 13, 2016 at 12:03 AM, Stanislav Malyshev > <smalys...@gmail.com> wrote: >> Hi! >> >>> I've disallowed empty session ID, but it wasn't a >>> appropriate fix. >>> >>> https://bugs.php.net/bug.php?id=68063 >> >> Could you explain a bit more about the part where there are empty IDs >> generated? You say it "is browser's cookie handling" - could you explain >> more about it? >> >>> I made appropriate patch for this issue. It should be >>> applied from PHP 5.5 to master. I attached patch to >>> the bug report. Could you apply it from PHP 5.5? Or >>> shall I commit it from 5.6? then cherry pick? >> >> Is that a security issue? If so, please explain how. If not, it should >> be 5.6+. > > IMO, this is not security related.
Strictly speaking, it's not. IMO. However, previous my fix (Raise warning and return false) was wrong fix. Therefore, I would like to correct (Provide new session ID and continue) it in 5.5 also. Does this make sense? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
