Hi Stas, On Wed, Jun 29, 2016 at 9:09 AM, Stanislav Malyshev <smalys...@gmail.com> wrote: > >> Concern has been discussed is risk of broken PRNG and predictable >> session ID. We may insist any platform must have reliable PRNG, but it >> would be good idea to have least mitigation. Reading extra bytes >> should be good enough for this purpose. > > I still see no reason to change it stated in the RFC except performance > (which is irrelevant in all contexts I know of). It states the change > but omits the reason why this change is necessary. Could you please add > that part?
Sure. The main purpose is clean up. The reason we have messy session ID creation code for hashing and generating random bytes is we didn't have reliable cross platform PRNG code. We have it now, so no reason to keep complex/redundant/inefficient code. I'll add this. Thank you. -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
