Re: [RFC] [Discussion] Secure session_regenerate_id()

From:	Mateusz Kocielski	Date:	Thu, 20 Mar 2014 08:23:46 +0000
Subject:	Re: [RFC] [Discussion] Secure session_regenerate_id()
References:	1 2 3 4 5	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

On Thu, Mar 20, 2014 at 03:33:09AM +0900, Yasuo Ohgaki wrote:

> > I agree. But we've got more factors here, it's not a simple tool for
> > detection
> > of crimes. If we let "old session" live for x secs, what will happen to
> > changes done to the old session? How do you want to resolve that? We should
> > find a balance between complexity and security.
> >
> >
> Currently we have poor mitigation. My proposal provides better mitigation.

I still don't see how you want to handle inconsistency between sessions. It
seems that your RFC silently ignores that issue.

 Kind Regards,
 Mateusz Kocielski


   

Thread (23 messages)

• Yasuo OhgakiWed, 19 Mar 2014 07:12:54 +0000
  • Mateusz KocielskiWed, 19 Mar 2014 08:02:29 +0000
    • Yasuo OhgakiWed, 19 Mar 2014 08:50:28 +0000
      • Mateusz KocielskiWed, 19 Mar 2014 11:11:31 +0000
        • Yasuo OhgakiWed, 19 Mar 2014 18:33:09 +0000
          • Mateusz KocielskiThu, 20 Mar 2014 08:23:46 +0000
            • Yasuo OhgakiThu, 20 Mar 2014 08:30:36 +0000
              • Mateusz KocielskiThu, 20 Mar 2014 09:13:26 +0000
                • Yasuo OhgakiThu, 20 Mar 2014 09:19:49 +0000
                  • Andrey AndreevThu, 20 Mar 2014 09:26:13 +0000
                    • Mateusz KocielskiThu, 20 Mar 2014 09:49:13 +0000
                      • Andrey AndreevThu, 20 Mar 2014 10:04:23 +0000
                        • Mateusz KocielskiThu, 20 Mar 2014 10:15:07 +0000
                  • Yasuo OhgakiThu, 20 Mar 2014 09:26:31 +0000
  • Stas MalyshevWed, 19 Mar 2014 18:35:40 +0000
    • Yasuo OhgakiWed, 19 Mar 2014 19:32:41 +0000
      • Stas MalyshevThu, 20 Mar 2014 01:26:29 +0000
        • Yasuo OhgakiThu, 20 Mar 2014 03:07:53 +0000
          • Pierre JoyeThu, 20 Mar 2014 04:02:40 +0000
            • Yasuo OhgakiThu, 20 Mar 2014 08:28:03 +0000
              • Andrey AndreevThu, 20 Mar 2014 08:55:13 +0000
              • Stas MalyshevThu, 20 Mar 2014 19:57:35 +0000
                • Yasuo OhgakiThu, 20 Mar 2014 22:28:57 +0000