Hi :) On Wed, Jun 29, 2016 at 7:09 AM, Stanislav Malyshev <smalys...@gmail.com> wrote: > Hi! > >> Concern has been discussed is risk of broken PRNG and predictable >> session ID. We may insist any platform must have reliable PRNG, but it >> would be good idea to have least mitigation. Reading extra bytes >> should be good enough for this purpose. > > I still see no reason to change it stated in the RFC except performance > (which is irrelevant in all contexts I know of). It states the change > but omits the reason why this change is necessary. Could you please add > that part?
Same here. I have to ask again what prevents you to write your own custom session module and do everything you consider as safe in there. But this kind of changes sounds not very helpful and not really done for valid reasons (for that one). I fully understand the goal to secure (and this is a very open definition) session manage for php but this cannot be done in step by step basis. Cheers, -- Pierre @pierrejoye | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
