On Mon, Feb 3, 2014 at 7:43 PM, Pierre Joye <[email protected]> wrote:
> On Feb 3, 2014 11:36 AM, "Yasuo Ohgaki" <[email protected]> wrote:
> >
> > Hi Stas,
> >
> > On Mon, Feb 3, 2014 at 5:23 PM, Stas Malyshev <[email protected]
> >wrote:
> >
> > > > I see some users are generating unsafe session ID. Purpose of change
> is
> > > > not to generate insecure ID when user want some prefix in session ID.
> > >
> > > What's "insecure session ID" and how it is related to the matter we
> > > are
> > > discussing?
> >
> >
> > If there is not a easy way to create secure session ID (Currently, we
> > don't),
> > users may generate session ID by their own which may be insecure.
>
> That's exactly the point. Sessions have options to make them more secure
> (entropy, hash). Maybe the default should be improved. As far as I remember
> it is not possible anymore to build php without providing a valid entropy
> source.
>
Yes.
Session module requires valid entropy source to generate session ID.
Regards,
--
Yasuo Ohgaki
[email protected]