Hi Stas,
On Mon, Feb 3, 2014 at 5:23 PM, Stas Malyshev <[email protected]>wrote:
> > I see some users are generating unsafe session ID. Purpose of change is
> > not to generate insecure ID when user want some prefix in session ID.
>
> What's "insecure session ID" and how it is related to the matter we are
> discussing?
If there is not a easy way to create secure session ID (Currently, we
don't),
users may generate session ID by their own which may be insecure.
> > Yes.
> > Currently, if 'foo' is not there already, session_id('foo') does not
> > set
> > session ID, but creates new random session ID when use_strice_mode=on.
> >
> > string session_id(string $prefix_or_id [, bool $use_prefix=FALSE]);
> >
> > $use_prefix=TRUE will bypass use_strict_mode=on.
>
> I still don't understand what use_prefix has to do with secure session
> and why use_prefix would bypass strict mode. Something is missing here
> for me. Could you give some more detailed explanation of what you're
> trying to do here?
>
I see codes that set insecure session ID. use_strict_mode=on is supposed
to prevent it. However, there are users who want to have prefix as explained
before.
They would like to know session creation time, owner without actually
reading
session data for performance reasons.
I think this is valid use case of prefixed session ID.
> > As discussed in other thread, mcrypt_create_iv() is good one, but
> > it has some limitations. That's the reason why I think it would be
> > better to have function that generates secure random ID some how.
>
> We have two functions that generate random sequences - one in openssl
> and one in mcrypt. Why we need a third one?
>
This does not relates for this RFC anymore, since session_id(PREFIX, TRUE)
address creating secure session.
>
> > Anyway, it is time to compile openssl module by default. IMHO.
>
> Why we must control what the user compiles? The users that know what
> they're doing will compile it anyway, the users that don't will use
> distros which couldn't care less about our defaults and build all
> extensions separately anyway. I don't see which problem you're trying to
> fix here.
>
For instance, isn't it nice to have hardware AES available for
applications, is it?
Developers may assume users to load required extension, though.
> It makes security a lot simpler/easier for both users and internal
> > developers.
>
> What exactly is hard now but becomes easier? Typing --with-openssl is
> not hard.
I see many use cases of random bytes and encryption.
For example, there is no 'standard' function generating secure random
bytes now. We could say use of uniqid() as a secure random source is
bad, but isn't it bad that we don't provide standard function for it?
Available optionally and available always is different. IMHO.
Regards,
--
Yasuo Ohgaki
[email protected]