Hi Leigh,
On Fri, Aug 12, 2016 at 3:25 AM, Leigh <[email protected]> wrote:
> On Wed, 10 Aug 2016 at 10:15 Yasuo Ohgaki <[email protected]> wrote:
>>
>> Hi all,
>>
>> This is RFC for adding session_create_id() function.
>>
>> Session ID string uses special binary to string conversion. Users
>> should write lengthy and slow code to have the same session ID string
>> as session module does.
>
>
> I disagree, this pretty much covers it:
>
> function session_create_id()
> {
> $encoded = base64_encode(random_bytes(random_bytes(32)));
> // Use same charset as PHP
> return rtrim(strtr($encoded, '+/', ',-'), '=');
> }
Thank you for insight!
You've missed to set SID to proper length and SID validation.
function session_create_id(string $prefix)
{
$encoded = base64_encode(ini_get('session.sid_length')*2);
// Use same charset as PHP
$sid = substr(rtrim(strtr($encoded, '+/', ',-'), '='), 0,
ini_get('session.sid_length');
$sid .= $prefix;
// Now validate SID so that it does not have collisions
when session is active, connect to database and validate SID
try to fetch sid
if sid is not there
try again to generate SID few times
if SID validation failed
fatal error
return safe SID
when session is inactive
return unvalidated SID
}
This is what proposed session_create_id() does.
I used pseudo, but it should be easy to imagine it would be lengthy code.
IMHO, mandatory API should be in PHP even if it's easy to implement
and basic API should be in PHP unless it is too easy to be implemented
userland.
Regards,
--
Yasuo Ohgaki
[email protected]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
