Hi Stas,
On Sun, Feb 2, 2014 at 7:25 PM, Stas Malyshev <[email protected]>wrote:
> > It could have signature like
> >
> > string session_id(string $prefix_or_id [, bool $use_prefix]);
>
> I'm not sure what prefix has to do with this RFC. Didn't we talk about
> secure setting? Where the prefix came from and why we need the prefix at
> all?
>
I see some users are generating unsafe session ID. Purpose of change is
not to generate insecure ID when user want some prefix in session ID.
>
> > We have to decide what we will do about use_strict_mode behavior.
> > It may be easier automatically set use_strict_mode=FALSE.
>
> I'm not sure I understand. So if strict mode is on, when I do
> session_id('foo') and session with ID foo does not exist, what would
> happen? Would session_start() create it or would it generate new ID,
> effectively ignoring my session_id command silently?
>
Yes.
Currently, if 'foo' is not there already, session_id('foo') does not set
session ID, but creates new random session ID when use_strice_mode=on.
string session_id(string $prefix_or_id [, bool $use_prefix=FALSE]);
$use_prefix=TRUE will bypass use_strict_mode=on.
>
> > I would like to expand uniqid() or create new function that returns
> > secure random string, so session_create_id() is not mandatory.
>
> Don't we have such function already?
> http://us1.php.net/manual/en/function.mcrypt-create-iv.php
As discussed in other thread, mcrypt_create_iv() is good one, but
it has some limitations. That's the reason why I think it would be
better to have function that generates secure random ID some how.
Anyway, it is time to compile openssl module by default. IMHO.
It makes security a lot simpler/easier for both users and internal
developers.
Regards,
--
Yasuo Ohgaki
[email protected]