On 18 May 2022, at 18:43, Christoph M. Becker wrote:
> On 18.05.2022 at 18:37, Craig Francis wrote:
>> I would hope both are very rare, but I'm still writing up reports about
>> developers doing things like `file_put_contents('/tmp/' . $_POST['id'],
>> $_POST['message'])`, so I don't have a lot
Thanks all for the early feedback.
So it is an attempt to mitigate tampering attacks basically on session
stored on filesystems. So it appears to be a subset of session usage
overall indeed but
doing so in a native manner is what drove the PR.
On Wed, 18 May 2022 at 18:43, Christoph M. Becker wr
I'm not sure I'm a fan of the PR as it stands, but the idea of
encrypting session data - definitely.
When sessions are stored on disk, that data is plainly visible by anyone
(or any process) with read access to that disk. If they're cached
instead in a DB or an in-memory system like Memcached,
On 18.05.2022 at 18:37, Craig Francis wrote:
> On 18 May 2022, at 17:02, Mark Randall wrote:
>
>> Personally I usually just throw the session key through a one-way hash so
>> the original session ID never gets written to a backing store.
>
> Good idea, but that's not done by default.
But also n
On 18 May 2022, at 17:02, Mark Randall wrote:
> Personally I usually just throw the session key through a one-way hash so the
> original session ID never gets written to a backing store.
Good idea, but that's not done by default.
> I'm not sure why reversible encryption needs to take place?
On 18/05/2022 16:23, Craig Francis wrote:
If the Session ID continued to work as the Identifier, but the client was given
the Session ID and a Random Key (could be concatenated together for the
cookie)... that means the Random Key would not be stored on the server, and
could protect the sessio
On 17 May 2022, at 23:11, Mark Randall wrote:
> On 17/05/2022 21:36, David CARLIER wrote:
>> I wanted a more general but early feedback on the idea itself
>> https://github.com/php/php-src/pull/3759
>
> What is the motivation? What is it meant to achieve?
If the Session ID continued to work as
