Hi Stas, On Wed, Jan 27, 2016 at 10:22 AM, Stanislav Malyshev <smalys...@gmail.com> wrote: > >> Oops, sorry. Too many lines to reply, I misread >> session_id()/session_create_id() >> >> session_id() sets session ID. Invalid char that cannot be accepted should be >> rejected. Otherwise, user will have lost sessions without errors. > > As far as I know, handlers already reject characters that are not OK > with them. So what is missing there?
Session module/save handlers removes invalid chars silently. This changes user defined session ID, thus session is lost without apparent errors. > >> SessionHandler::create_sid() is for creating user own ID. Generating ID with >> certain prefix. > > Not sure what you mean. The code here: > https://github.com/php/php-src/blob/master/ext/session/mod_user_class.c#L175 > is clearly generating an ID. Is this not secure enough? If php_session_create_id() which is session module function, it's secure. Users may create whatever session IDs, though. > >> Currently, there is no simple way to generate session ID with the form >> of session module generates. i.e. hash_bits_per_characters=5/6. There >> should be an API for it. > > Wait, so which ID the SessionHandler::create_sid() generates? Isn't > that the same function? Which function you plan to use instead? I mean there is no way to call php_session_create_id() without user defined save handler. Main use case of session_create_id() and session_id() would be prefixed session like session_id(session_create_id('MY-PREFIX-')); Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
