Re: Session Id Collisions

From:	Arpad Ray	Date:	Mon, 05 Aug 2013 16:04:53 +0000
Subject:	Re: Session Id Collisions
References:	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Yasuo,

On Mon, Aug 5, 2013 at 11:38 AM, Yasuo Ohgaki <[email protected]> wrote:

> On Mon, Aug 5, 2013 at 7:26 PM, Arpad Ray <[email protected]> wrote:
>
>> Could you point me to where this was decided please? I don't see a vote
>> or anything like a consensus in the previous threads.
>
>
> There isn't vote for this RFC since this is security.
> It's also a consensus.
>

While this is a security concern, it's not a straightforward bug fix. When
there's contention in how to fix it, I think there really should be a vote.

I've read the other threads and I don't think has been any clear consensus
about this issue and I, for one, am not happy to have what I feel is an
inferior solution committed while it's still being discussed.

To reiterate: this ini setting will quietly fail when using a handler which
hasn't been patched, like memcached, or a custom handler. That's arguably
worse than not having the setting at all since it could give people a false
sense of security.

Arpad


   

Thread (37 messages)

• Raymond IrvingThu, 23 Aug 2012 04:48:12 +0000
  • Rasmus LerdorfThu, 23 Aug 2012 15:03:32 +0000
    • Raymond IrvingThu, 23 Aug 2012 15:26:14 +0000
      • Sherif RamadanThu, 23 Aug 2012 15:53:28 +0000
        • Yasuo OhgakiSat, 25 Aug 2012 02:47:16 +0000
          • Ferenc KovacsSat, 25 Aug 2012 16:40:05 +0000
            • Yasuo OhgakiSat, 25 Aug 2012 22:02:29 +0000
              • Stas MalyshevSun, 26 Aug 2012 08:57:30 +0000
                • Yasuo OhgakiSun, 26 Aug 2012 20:49:20 +0000
          • Stas MalyshevSun, 26 Aug 2012 07:37:45 +0000
            • Yasuo OhgakiSun, 26 Aug 2012 20:55:40 +0000
              • Stas MalyshevSun, 26 Aug 2012 21:30:29 +0000
                • Yasuo OhgakiSun, 26 Aug 2012 21:33:25 +0000
              • Yasuo OhgakiSun, 26 Aug 2012 21:31:25 +0000
                • Stas MalyshevSun, 26 Aug 2012 21:35:06 +0000
                  • Yasuo OhgakiSun, 26 Aug 2012 21:36:52 +0000
                    • Yasuo OhgakiMon, 24 Dec 2012 06:32:17 +0000
                      • Yasuo OhgakiThu, 27 Jun 2013 00:36:24 +0000
                        • Arpad RayThu, 27 Jun 2013 09:02:53 +0000
                          • Yasuo OhgakiThu, 27 Jun 2013 10:51:42 +0000
                        • Stas MalyshevMon, 05 Aug 2013 00:15:43 +0000
                          • Stas MalyshevMon, 05 Aug 2013 00:45:30 +0000
                            • Yasuo OhgakiMon, 05 Aug 2013 01:01:31 +0000
                              • Arpad RayMon, 05 Aug 2013 09:22:45 +0000
                                • Yasuo OhgakiMon, 05 Aug 2013 09:50:16 +0000
                                  • Arpad RayMon, 05 Aug 2013 10:05:15 +0000
                                    • Yasuo OhgakiMon, 05 Aug 2013 10:10:14 +0000
                                      • Arpad RayMon, 05 Aug 2013 10:26:58 +0000
                                        • Yasuo OhgakiMon, 05 Aug 2013 10:38:42 +0000
                                          • Arpad RayMon, 05 Aug 2013 16:04:53 +0000
                                            • Yasuo OhgakiMon, 05 Aug 2013 18:46:51 +0000
                                              • Arpad RayMon, 05 Aug 2013 19:17:10 +0000
                                                • Stas MalyshevMon, 05 Aug 2013 19:23:33 +0000
                                                  • Arpad RayMon, 05 Aug 2013 19:33:35 +0000
                                                    • Yasuo OhgakiMon, 05 Aug 2013 19:57:40 +0000
                                                • Yasuo OhgakiMon, 05 Aug 2013 19:41:29 +0000
                      • Stas MalyshevFri, 28 Jun 2013 21:06:59 +0000