Hi Tom,

On Sun, Aug 14, 2016 at 12:35 AM, Tom Worster <f...@thefsb.org> wrote:
> Rather than argue the details of randomness, I have more basic comments.
>
> 1. If an app needs to access session values, it can and should do this
> without indirection through the PHP session ID table.

I don't get point. Why?

>
> 2. Users should generally let PHP choose random IDs.

I agree.

>
> 3. If PHP is to allow a user to chose its own session IDs, avoiding
> collision is should that user's responsibility.

No. I've already explained why this is difficult. Please read previous mail.
Or try to write session save handler that detects collisions with
memcached, then you'll see why.

>
> 4. Generating unique unpredictable IDs (without requiring collision
> detection) is a common problem with known and trusted solutions.

I agree. It's common because many unique ID generator do not have
centralized database to avoid collisions. In contract, session has
centralized database and it's just a matter of one lookup. (Therefore,
session module should lookup database)

Regards,

P.S. I'll add optimization that eliminates SID validation lookup for
normal operations. You don't have to worry about session performance
if I add this.


--
Yasuo Ohgaki
yohg...@ohgaki.net

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to