Hi all, On Wed, Apr 6, 2016 at 2:47 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Session module does not require hashing to generate session ID. This > RFC removes hashing from session module and enable use_strict_mode as > an insurance for broken RNG. > > https://wiki.php.net/rfc/session-id-without-hashing > > Comments are appreciated!
It's been a while since last discussion. I would like to add this change to session module at least for PHP 7.1. Concern has been discussed is risk of broken PRNG and predictable session ID. We may insist any platform must have reliable PRNG, but it would be good idea to have least mitigation. Reading extra bytes should be good enough for this purpose. I also changed minimum length of session ID from 32 to 22 for better compatibility. 22 is the length with MD5 hash and hash_bits_per_character=6. PR would be updated soon. I would like to start vote after PR update, so please post comments if any. Thank you. -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
