Re: [RFC] Secure Session Module Options by Default

From: Date: Thu, 06 Feb 2014 06:15:11 +0000
Subject: Re: [RFC] Secure Session Module Options by Default
References: 1  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi all,
On Sun, Feb 2, 2014 at 7:33 AM, Yasuo Ohgaki <[email protected]> wrote:

> Secure Session Module Options by Default
> https://wiki.php.net/rfc/secure-session-options-by-default
>
> Session is core of web security. Therefore, default should be
> as secure as possible by default.
>
> I'll open vote next week, please send comments now.
>

I've added new INI option for security reason. (Timing attack mitigation)

**session_id_length** minimum session ID length to mitigate timing attack.
26 for PHP 5.3/5.4/5.5. 52 for 5.6.

I'll add new value(int) at the end of ps_globals for released versions.

Regards,

--
Yasuo Ohgaki
[email protected]


Thread (30 messages)

« previous php.internals (#72325) next »