On 8/10/16 5:14 AM, Yasuo Ohgaki wrote:
Hi all,
This is RFC for adding session_create_id() function.
Session ID string uses special binary to string conversion. Users
should write lengthy and slow code to have the same session ID string
as session module does. It also validates and makes sure generated
session ID string has no collision. (This cannot be done easily by
user script and 3rd party C written save handlers)
Rather than argue the details of randomness, I have more basic comments.
1. If an app needs to access session values, it can and should do this
without indirection through the PHP session ID table.
2. Users should generally let PHP choose random IDs.
3. If PHP is to allow a user to chose its own session IDs, avoiding
collision is should that user's responsibility.
4. Generating unique unpredictable IDs (without requiring collision
detection) is a common problem with known and trusted solutions.
Tom
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
