Hi Tom, On Sun, Aug 14, 2016 at 12:35 AM, Tom Worster <f...@thefsb.org> wrote: > Rather than argue the details of randomness, I have more basic comments. > > 1. If an app needs to access session values, it can and should do this > without indirection through the PHP session ID table.
I don't get point. Why? > > 2. Users should generally let PHP choose random IDs. I agree. > > 3. If PHP is to allow a user to chose its own session IDs, avoiding > collision is should that user's responsibility. No. I've already explained why this is difficult. Please read previous mail. Or try to write session save handler that detects collisions with memcached, then you'll see why. > > 4. Generating unique unpredictable IDs (without requiring collision > detection) is a common problem with known and trusted solutions. I agree. It's common because many unique ID generator do not have centralized database to avoid collisions. In contract, session has centralized database and it's just a matter of one lookup. (Therefore, session module should lookup database) Regards, P.S. I'll add optimization that eliminates SID validation lookup for normal operations. You don't have to worry about session performance if I add this. -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
