Hi all, I would like to ask the default session ID string preference.
Details of guessing an active session ID is described in previous mail. Please refer it for details. On Sun, Jul 24, 2016 at 4:57 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > I don't mind pausing vote to have consensus on how many bits for > session ID string is preferred. Current default is 128 bits with 32 chars. (Hex string which has 4 bits per char) Pros: Compatible with current default. Cons: Weaker than proposed default Proposed default is 240 bits with 48 chars. (Special form which has 5 bits per char) Pros: Stronger than current default. Cons: Incompatible with current default. 128 bits would be strong enough with CSPRNG, while 240 bits would be preferred as precaution. Which default would you prefer? I would like to restart vote based on the result. Thank you! -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
