On Tue, Aug 16, 2016 at 5:21 AM, Tom Worster <f...@thefsb.org> wrote: > On 8/14/16 4:13 PM, Yasuo Ohgaki wrote: > >> "Now assume a 128 bit session identifier that provides 64 bits of >> entropy. > > > What exactly does this mean?
When you have random 128 bits value, it does not mean it has full size entropy. Anyway, why you insist? CSPRNG should be good enough for security purpose, but nobody proves CSPRNG that PHP uses are collision free. Session ID validation is cheap cost for serious web users. Basically you're saying “We do know it may happen, but you just had rare bad luck. Even though protection could be implemented, whatever consequences are your responsibility. It's the PHP way”. I strongly disagree with this kind of attitude. If there are users who really do not want collision detection at all, they should do it by their own responsibility and risk. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
