On Tue, Aug 16, 2016 at 6:03 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > On Tue, Aug 16, 2016 at 5:21 AM, Tom Worster <f...@thefsb.org> wrote: >> On 8/14/16 4:13 PM, Yasuo Ohgaki wrote: >> >>> "Now assume a 128 bit session identifier that provides 64 bits of >>> entropy. >> >> >> What exactly does this mean? > > When you have random 128 bits value, it does not mean it has full size > entropy. > > Anyway, why you insist? CSPRNG should be good enough for security > purpose, but nobody proves CSPRNG that PHP uses are collision free. > Session ID validation is cheap cost for serious web users. > > Basically you're saying “We do know it may happen, but you just had > rare bad luck. Even though protection could be implemented, whatever > consequences are your responsibility. It's the PHP way”. > I strongly disagree with this kind of attitude. > > If there are users who really do not want collision detection at all, > they should do it by their own responsibility and risk.
Above discussion is added to the RFC. The default 128 bits Session ID is large enough to ignore collisions https://wiki.php.net/rfc/session-create-id#discussions It describes for an application, but PHP is a platform. There are millions PHP apps or more and there could be billions of active sessions. There could be tens of thousands new session IDs or more are created. Apply the calculation for expected time of possible collision. Do you still sure "There will be no collisions at all"? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
