Hi Leigh, On Fri, Aug 12, 2016 at 3:25 AM, Leigh <lei...@gmail.com> wrote: > On Wed, 10 Aug 2016 at 10:15 Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> >> Hi all, >> >> This is RFC for adding session_create_id() function. >> >> Session ID string uses special binary to string conversion. Users >> should write lengthy and slow code to have the same session ID string >> as session module does. > > > I disagree, this pretty much covers it: > > function session_create_id() > { > $encoded = base64_encode(random_bytes(random_bytes(32))); > // Use same charset as PHP > return rtrim(strtr($encoded, '+/', ',-'), '='); > }
Thank you for insight! You've missed to set SID to proper length and SID validation. function session_create_id(string $prefix) { $encoded = base64_encode(ini_get('session.sid_length')*2); // Use same charset as PHP $sid = substr(rtrim(strtr($encoded, '+/', ',-'), '='), 0, ini_get('session.sid_length'); $sid .= $prefix; // Now validate SID so that it does not have collisions when session is active, connect to database and validate SID try to fetch sid if sid is not there try again to generate SID few times if SID validation failed fatal error return safe SID when session is inactive return unvalidated SID } This is what proposed session_create_id() does. I used pseudo, but it should be easy to imagine it would be lengthy code. IMHO, mandatory API should be in PHP even if it's easy to implement and basic API should be in PHP unless it is too easy to be implemented userland. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php