Re: [RFC] Secure Session Module Options by Default

From: Date: Thu, 06 Feb 2014 06:26:10 +0000
Subject: Re: [RFC] Secure Session Module Options by Default
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi all,

On Thu, Feb 6, 2014 at 3:15 PM, Yasuo Ohgaki <[email protected]> wrote:

> On Sun, Feb 2, 2014 at 7:33 AM, Yasuo Ohgaki <[email protected]> wrote:
>
>> Secure Session Module Options by Default
>> https://wiki.php.net/rfc/secure-session-options-by-default
>>
>> Session is core of web security. Therefore, default should be
>> as secure as possible by default.
>>
>> I'll open vote next week, please send comments now.
>>
>
> I've added new INI option for security reason. (Timing attack mitigation)
>
> **session_id_length** minimum session ID length to mitigate timing attack.
> 26 for PHP 5.3/5.4/5.5. 52 for 5.6.
>

I need information about PHP distributions.
Does anyone know if there is PHP distributions that provide hash module as
*.(so|dll)?
If there is, I have to change this INI value.

Thank you!

--
Yasuo Ohgaki
[email protected]


Thread (30 messages)

« previous php.internals (#72326) next »