Re: [RFC] Secure Session Module Options by Default

From: Date: Mon, 03 Feb 2014 02:08:28 +0000
Subject: Re: [RFC] Secure Session Module Options by Default
References: 1 2 3 4 5 6  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi Stas,

On Sun, Feb 2, 2014 at 7:25 PM, Stas Malyshev <[email protected]>wrote:

> > It could have signature like
> >
> > string session_id(string $prefix_or_id [, bool $use_prefix]);
>
> I'm not sure what prefix has to do with this RFC. Didn't we talk about
> secure setting? Where the prefix came from and why we need the prefix at
> all?
>

I see some users are generating unsafe session ID. Purpose of change is
not to generate insecure ID when user want some prefix in session ID.


>
> > We have to decide what we will do about use_strict_mode behavior.
> > It may be easier automatically set use_strict_mode=FALSE.
>
> I'm not sure I understand. So if strict mode is on, when I do
> session_id('foo') and session with ID foo does not exist, what would
> happen? Would session_start() create it or would it generate new ID,
> effectively ignoring my session_id command silently?
>

Yes.
Currently, if 'foo' is not there already, session_id('foo') does not set
session ID, but creates new random session ID when use_strice_mode=on.

string session_id(string $prefix_or_id [, bool $use_prefix=FALSE]);

$use_prefix=TRUE will bypass use_strict_mode=on.



>
> > I would like to expand uniqid() or create new function that returns
> > secure random string, so session_create_id() is not mandatory.
>
> Don't we have such function already?
> http://us1.php.net/manual/en/function.mcrypt-create-iv.php


As discussed in other thread, mcrypt_create_iv() is good one, but
it has some limitations. That's the reason why I think it would be
better to have function that generates secure random ID some how.

Anyway, it is time to compile openssl module by default. IMHO.
It makes security a lot simpler/easier for both users and internal
developers.

Regards,

--
Yasuo Ohgaki
[email protected]


Thread (30 messages)

« previous php.internals (#72034) next »