Hi Leigh,

On Fri, Aug 12, 2016 at 3:25 AM, Leigh <lei...@gmail.com> wrote:
> On Wed, 10 Aug 2016 at 10:15 Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
>>
>> Hi all,
>>
>> This is RFC for adding session_create_id() function.
>>
>> Session ID string uses special binary to string conversion. Users
>> should write lengthy and slow code to have the same session ID string
>> as session module does.
>
>
> I disagree, this pretty much covers it:
>
> function session_create_id()
> {
> $encoded = base64_encode(random_bytes(random_bytes(32)));
> // Use same charset as PHP
> return rtrim(strtr($encoded, '+/', ',-'), '=');
> }

Thank you for insight!

You've missed to set SID to proper length and SID validation.

function session_create_id(string $prefix)
{
    $encoded = base64_encode(ini_get('session.sid_length')*2);
    // Use same charset as PHP
    $sid = substr(rtrim(strtr($encoded, '+/', ',-'), '='), 0,
                          ini_get('session.sid_length');

    $sid .= $prefix;

    // Now validate SID so that it does not have collisions
    when session is active, connect to database and validate SID
      try to fetch sid
        if sid is not there
          try again to generate SID few times
      if SID validation failed
         fatal error
      return safe SID
   when session is inactive
      return unvalidated SID
}

This is what proposed session_create_id() does.
I used pseudo, but it should be easy to imagine it would be lengthy code.

IMHO, mandatory API should be in PHP even if it's easy to implement
and basic API should be in PHP unless it is too easy to be implemented
userland.

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to