Hi Stas, On Wed, Jan 27, 2016 at 9:16 AM, Stanislav Malyshev <smalys...@gmail.com> wrote: >>> About, since session_id() is a user function, what do we gain by >>> limiting what it does? >> >> Prefix is a part of session ID and it should have the same requirement >> as session ID for security reasons. > > I'm not sure why you're talking about prefix. I thought that the issue > was that user can supply session_id() with the ID that is not good for > some reason and you want to filter it on session_id level. Am I wrong?
Oops, sorry. Too many lines to reply, I misread session_id()/session_create_id() session_id() sets session ID. Invalid char that cannot be accepted should be rejected. Otherwise, user will have lost sessions without errors. > >> There is SessionHandler::create_sid(), but there isn't a function that >> creates secure session ID. > > Why not? The ID created now is not secure? Why? I see it uses > php_session_create_id(), do you mean this function is insecure too? Why? > In any case, if you think it is insecure, why not fix it? SessionHandler::create_sid() is for creating user own ID. Generating ID with certain prefix. SessionHandler::create_sid() may call parent create ID function, though. If parent is session module's save handler, it will call php_session_create_id(). Currently, there is no simple way to generate session ID with the form of session module generates. i.e. hash_bits_per_characters=5/6. There should be an API for it. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
