Re: [RFC] Secure Session Module Options by Default

From: Date: Mon, 03 Feb 2014 11:02:09 +0000
Subject: Re: [RFC] Secure Session Module Options by Default
References: 1 2 3 4 5 6 7 8 9  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Yasuo Ohgaki wrote:
I see some users are generating unsafe session ID. Purpose of change is
not to generate insecure ID when user want some prefix in session ID.
What's "insecure session ID" and how it is related to the matter we are discussing? If there is not a easy way to create secure session ID (Currently, we don't), users may generate session ID by their own which may be insecure.
Simple question ... does it actually matter? If a session id is simply used for navigating a visit to a site then as long as it works it's fine? If *I* am working with a secure site then I have another level of security via a VPN connection. As an intermediate for secure financial transactions, it's the service providers who dictate the security used? Again we seem to be targeting things which are under rules which may be dictated by third party requirements, and third party tools such as ssh? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

Thread (30 messages)

« previous php.internals (#72078) next »