hi Yasuo,
I really appreciate your constant effort to improve security and php
in general. In the case of the session management I am not sure I can
vote positively on the current RFC(s).
On Thu, Mar 20, 2014 at 4:07 AM, Yasuo Ohgaki <[email protected]> wrote:
> Hi Stas,
>
> On Thu, Mar 20, 2014 at 10:26 AM, Stas Malyshev <[email protected]>wrote:
>
>> > I'm recognizing reliability/availability as a part of security.
>> > ISO 27000 defines it's a part of security.
>>
>> Let's not parse semantics here. Declaring something that is not security
>> issue - i.e. would not lead to unauthorized access, data disclosure,
>> etc. - as security issue only makes real security issues drown in the
>> noise and not get proper priority. And mislead people into thinking that
>> existing ways - which are fine - are somehow insecure and make them not
>> use them.
>>
>
> I'm OK with different name.
> Lines between security issue or not is vague.
I agree with Stas here. I have been asking for past CVEs related to
the possible issues you described here, I did not find any and sadly
did not get any information which could change my mind.
Most of what is described here should be covered by the application
layer as it really depends on what developers need. Per se, the
current session module is safe. It may not cover all edges cases but
this is why we have the necessary API to allow developers to add
behaviors, as desired (not necessary required, which is the point I
agree with Stas here).
Cheers,
--
Pierre
@pierrejoye | http://www.libgd.org