Hi Derick, On Thu, Jul 7, 2016 at 9:29 PM, Derick Rethans <der...@php.net> wrote: >> Hi all, >> >> Currently session module uses obsolete MD5 for session ID. With >> CSPRNG, hashing is redundant and needless. It adds hash module >> dependency and inefficient (There is no reason to use hash for CSPRNG >> generated bytes). >> >> This proposal cleans up session code by removing hash. >> >> https://wiki.php.net/rfc/session-id-without-hashing >> >> I set vote requires 2/3 support. >> Please describe the reason why when you against this RFC. Reasons are >> important for improvements! > > I'm voting "no" bceause of > > session.use_strict_mode (0 to 1) - Changed as insurance of broken PRNG > implementation. > > And it not being mentioned in BC breaking changes. It changes behaviour > of session IDs, as it shown in the manual: > > session.use_strict_mode boolean > > session.use_strict_mode specifies whether the module will use strict > session id mode. If this mode is enabled, the module does not accept > uninitialized session ID. If uninitialized session ID is sent from > browser, new session ID is sent to browser. Applications are > protected from session fixation via session adoption with strict > mode. Defaults to 0 (disabled).
It was moved to other RFC. https://wiki.php.net/rfc/session-use-strict-mode Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
