Re: [VOTE] Secure Session Module Options/Internal by Default

From:	Andrey Andreev	Date:	Mon, 17 Feb 2014 08:11:35 +0000
Subject:	Re: [VOTE] Secure Session Module Options/Internal by Default
Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hey,

I didn't want to interrupt a vote, but this 'id_length' setting was
not initially a part of the RFC and it's just now that I see it.

I don't see how it relates to timing attacks.
If it is about comparing at least N characters of the session ID
before rejecting one, then why not just compare all of them? ID length
is public information, anybody can see what it is by simply looking at
what the application gives them.
And finally, the setting name itself is misleading - it doesn't make
it clear that it's about minimum length.

Cheers,
Andrey.


   

Thread (19 messages)

• Andrey AndreevMon, 17 Feb 2014 08:11:35 +0000
  • Yasuo OhgakiMon, 17 Feb 2014 09:40:37 +0000
    • Andrey AndreevMon, 17 Feb 2014 13:22:37 +0000
      • Yasuo OhgakiTue, 18 Feb 2014 00:13:18 +0000
        • Stas MalyshevTue, 18 Feb 2014 00:40:22 +0000
          • Yasuo OhgakiTue, 18 Feb 2014 01:46:31 +0000
            • Stas MalyshevTue, 18 Feb 2014 04:11:15 +0000
              • Yasuo OhgakiTue, 18 Feb 2014 10:42:39 +0000
            • Andrey AndreevThu, 20 Feb 2014 13:03:49 +0000
              • Yasuo OhgakiThu, 20 Feb 2014 21:17:12 +0000
                • Andrey AndreevFri, 21 Feb 2014 11:25:24 +0000
                  • Ferenc KovacsMon, 24 Feb 2014 09:31:57 +0000
                    • Yasuo OhgakiMon, 24 Feb 2014 09:34:06 +0000
                  • Yasuo OhgakiMon, 24 Feb 2014 09:31:37 +0000
                    • Andrey AndreevMon, 24 Feb 2014 09:50:31 +0000
                      • Yasuo OhgakiMon, 24 Feb 2014 10:00:07 +0000
                        • Andrey AndreevMon, 24 Feb 2014 13:40:30 +0000
                        • Marcel AraujoMon, 24 Feb 2014 14:05:31 +0000
                          • Rouven WeßlingMon, 24 Feb 2014 14:09:40 +0000