Hi all,
On Sun, Feb 2, 2014 at 7:33 AM, Yasuo Ohgaki <[email protected]> wrote:
> Secure Session Module Options by Default
> https://wiki.php.net/rfc/secure-session-options-by-default
>
> Session is core of web security. Therefore, default should be
> as secure as possible by default.
>
> I'll open vote next week, please send comments now.
>
I've added new INI option for security reason. (Timing attack mitigation)
**session_id_length** minimum session ID length to mitigate timing attack.
26 for PHP 5.3/5.4/5.5. 52 for 5.6.
I'll add new value(int) at the end of ps_globals for released versions.
Regards,
--
Yasuo Ohgaki
[email protected]