Hi On Tue, Apr 12, 2016 at 10:21 AM, Michael Wallner <m...@php.net> wrote: > On 08/04/16 04:17, Yasuo Ohgaki wrote: > >> PRNG like /dev/urandom is supposed to be secure, but fair point. It >> may be good idea keeping old hash based session ID just in case >> someone find vulnerability. I suppose it's unlikely with modern PRNGs, >> though. > > I've come to think that "unlikely" is still a bad precondition with > regards to security... :)
however, if a vulnerability is found in /dev/urandom, that would be a stop-what-you're-doing-and-patch moment anyways because so much stuff depends on /dev/(u)random not producing predictable output. If /dev/urandom is not to be trusted, you have to bring your server offline right then. The fact that PHP would continue to produce more secure session IDs won't help you much. >> I didn't expect this much difference, but this is the result. Since >> security experts advise to change session ID relatively high frequency >> (few minutes to half an hour), this difference may be noticeable apps >> returning cached JSON. I know apps that change session ID on every >> request. (This should be done with caution. Otherwise, you may >> experience lost sessions a lot due to race conditions) Such apps will >> see performance gain. > > This RPS change is the result of just omitting hashing of the session id? if it is, it's really worth considering this change as, again, a vulnerability in /dev/urandom would be devastating enough to immediately bring down the machine anyways. Philip -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
