On Sat, 2 Jul 2016, Yasuo Ohgaki wrote:
> Hi all,
>
> Currently session module uses obsolete MD5 for session ID. With
> CSPRNG, hashing is redundant and needless. It adds hash module
> dependency and inefficient (There is no reason to use hash for CSPRNG
> generated bytes).
>
> This proposal cleans up session code by removing hash.
>
> https://wiki.php.net/rfc/session-id-without-hashing
>
> I set vote requires 2/3 support.
> Please describe the reason why when you against this RFC. Reasons are
> important for improvements!
I'm voting "no" bceause of
session.use_strict_mode (0 to 1) - Changed as insurance of broken PRNG
implementation.
And it not being mentioned in BC breaking changes. It changes behaviour
of session IDs, as it shown in the manual:
session.use_strict_mode boolean
session.use_strict_mode specifies whether the module will use strict
session id mode. If this mode is enabled, the module does not accept
uninitialized session ID. If uninitialized session ID is sent from
browser, new session ID is sent to browser. Applications are
protected from session fixation via session adoption with strict
mode. Defaults to 0 (disabled).
cheers,
Derick
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
