Hi Yasuo, On Mon, Aug 5, 2013 at 10:50 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> On Mon, Aug 5, 2013 at 6:22 PM, Arpad Ray <array...@gmail.com> wrote: > >> I thought we were in agreement about doing this properly in PHP.next? My >> arguments against this version of the patch still stand: > > > We had long discussion and decided to apply maintained branches > as security enhancement more than a year ago. We also planned to > apply the patch into 5.3 originally, but 5.3 is security fix only now. > > Anyway, if users are resetting session id properly, they are protected > against session adoption attacks. However, users are not protect their > apps properly, then they are at the risk of session adoption. This fix is > rather important for PHP, since there are many setups that share > PHP with many apps. That's the reason why we decided to apply > this patch into maintained branches. > > PHP web server admins should feel much safer than before with this > feature. > I'm not against the idea in principle but still think having a security feature which just quietly fails if you're not using one of two modified handlers is really not good. I also think there's no great rush to add this, because as you say, it can be protected against in userland too. I would much rather have a robust, clean solution even if we have to wait until php.next for it. Arpad