Re: [RFC] Secure Session Module Options by Default

From:	Yasuo Ohgaki	Date:	Thu, 06 Feb 2014 06:15:11 +0000
Subject:	Re: [RFC] Secure Session Module Options by Default
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,
On Sun, Feb 2, 2014 at 7:33 AM, Yasuo Ohgaki <[email protected]> wrote:

> Secure Session Module Options by Default
> https://wiki.php.net/rfc/secure-session-options-by-default
>
> Session is core of web security. Therefore, default should be
> as secure as possible by default.
>
> I'll open vote next week, please send comments now.
>

I've added new INI option for security reason. (Timing attack mitigation)

**session_id_length** minimum session ID length to mitigate timing attack.
26 for PHP 5.3/5.4/5.5. 52 for 5.6.

I'll add new value(int) at the end of ps_globals for released versions.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (30 messages)

• Yasuo OhgakiSat, 01 Feb 2014 22:33:37 +0000
  • Stas MalyshevSat, 01 Feb 2014 22:52:56 +0000
    • Yasuo OhgakiSat, 01 Feb 2014 23:59:59 +0000
      • Yasuo OhgakiSun, 02 Feb 2014 00:06:54 +0000
      • Stas MalyshevSun, 02 Feb 2014 07:14:04 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 09:50:17 +0000
          • Yasuo OhgakiSun, 02 Feb 2014 09:51:51 +0000
          • Stas MalyshevSun, 02 Feb 2014 10:25:50 +0000
            • Yasuo OhgakiMon, 03 Feb 2014 02:08:28 +0000
              • Stas MalyshevMon, 03 Feb 2014 08:23:22 +0000
                • Yasuo OhgakiMon, 03 Feb 2014 10:35:26 +0000
                  • Pierre JoyeMon, 03 Feb 2014 10:43:22 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 10:47:59 +0000
                  • Lester CaineMon, 03 Feb 2014 11:02:09 +0000
  • Yasuo OhgakiSun, 02 Feb 2014 06:50:03 +0000Re: [RFC] Secure Session Module Options by Default
  • Yasuo OhgakiThu, 06 Feb 2014 06:15:11 +0000Re: [RFC] Secure Session Module Options by Default
    • Yasuo OhgakiThu, 06 Feb 2014 06:26:10 +0000
• Andrey AndreevMon, 03 Feb 2014 07:31:28 +0000Re: [RFC] Secure Session Module Options by Default
  • Yasuo OhgakiMon, 03 Feb 2014 10:18:46 +0000
    • Andrey AndreevMon, 03 Feb 2014 10:54:01 +0000
      • Yasuo OhgakiMon, 03 Feb 2014 21:48:17 +0000
        • Andrey AndreevMon, 03 Feb 2014 22:29:52 +0000
          • Yasuo OhgakiMon, 03 Feb 2014 23:05:06 +0000
            • Andrey AndreevTue, 04 Feb 2014 12:59:33 +0000
              • Yasuo OhgakiWed, 05 Feb 2014 00:13:42 +0000
                • Andrey AndreevWed, 05 Feb 2014 20:00:52 +0000
                  • Yasuo OhgakiWed, 05 Feb 2014 21:58:44 +0000
                    • Andrey AndreevThu, 03 Apr 2014 09:31:58 +0000
                      • Yasuo OhgakiFri, 04 Apr 2014 09:14:07 +0000
                        • Yasuo OhgakiMon, 12 May 2014 08:13:33 +0000