Re: [RFC] [Discussion] Secure session_regenerate_id()
Hi!
> I'm recognizing reliability/availability as a part of security.
> ISO 27000 defines it's a part of security.
Let's not parse semantics here. Declaring something that is not security
issue - i.e. would not lead to unauthorized access, data disclosure,
etc. - as security issue only makes real security issues drown in the
noise and not get proper priority. And mislead people into thinking that
existing ways - which are fine - are somehow insecure and make them not
use them.
> Secure behavior by default is the way to go. IMO.
> There are too many pitfalls in web application. We should try to
> mitigate them
> as many as possible where it could be done.
We're not implementing web application in the engine. It's the task for
the developers and libraries. Implementing something that can easily be
implemented in userspace in the core only makes it less flexible and
makes core more heavy to maintain. We're not really saving much code
there - in fact, we're adding more code as now the developer has to deal
with exceptions. If the session would be silently deleted, it would
probably be ok, even though still a narrow use case whcih I don't think
should be in the engine, but throwing hard errors doesn't look useful at
all.
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Thread (23 messages)