Re: [RFC] Secure Session Module Options by Default

From: Date: Mon, 03 Feb 2014 10:47:59 +0000
Subject: Re: [RFC] Secure Session Module Options by Default
References: 1 2 3 4 5 6 7 8 9 10  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
On Mon, Feb 3, 2014 at 7:43 PM, Pierre Joye <[email protected]> wrote:

> On Feb 3, 2014 11:36 AM, "Yasuo Ohgaki" <[email protected]> wrote:
> >
> > Hi Stas,
> >
> > On Mon, Feb 3, 2014 at 5:23 PM, Stas Malyshev <[email protected]
> >wrote:
> >
> > > > I see some users are generating unsafe session ID. Purpose of change
> is
> > > > not to generate insecure ID when user want some prefix in session ID.
> > >
> > > What's "insecure session ID" and how it is related to the matter we
> > > are
> > > discussing?
> >
> >
> > If there is not a easy way to create secure session ID (Currently, we
> > don't),
> > users may generate session ID by their own which may be insecure.
>
> That's exactly the point. Sessions have options to make them more secure
> (entropy, hash). Maybe the default should be improved. As far as I remember
> it is not possible anymore to build php without providing a valid entropy
> source.
>
Yes.
Session module requires valid entropy source to generate session ID.

Regards,

--
Yasuo Ohgaki
[email protected]


Thread (30 messages)

« previous php.internals (#72074) next »