Hi Stas, On Tue, Jan 26, 2016 at 5:15 PM, Stanislav Malyshev <smalys...@gmail.com> wrote: >> Since this RFC is about preciseness of session management, I would like to >> change session_id() validates against default allowed chars as follows. >> (As well as enabling already written session_create_id() function) >> This patch is against the PR. > > I would strongly advise not to add more things into this RFC (see my > other email). If you want to change which chars are allowed in session > ID, fine, but let's discuss it in separate topic.
Fine with me. > However, I would proceed *very* carefully here, as there are apps that > produce their own session IDs, and breaking them does not help anybody. Sounds good. As I wrote in previous mail this is going to be largest BC impact of changes I proposed. > About, since session_id() is a user function, what do we gain by > limiting what it does? Prefix is a part of session ID and it should have the same requirement as session ID for security reasons. > For session_create_id(), don't we already have > SessionHandler::create_sid()? There is SessionHandler::create_sid(), but there isn't a function that creates secure session ID. We may do sha1(random_bytes(32)), but it's better to have function that uses specified hash/data by session.hash_function/hash_bits_per_characters. So "sha1(random_bytes(32))" and "session_create_id()" is not equal, for example. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
