Re: [PHP-DEV] Fixing bug #68063

2016-01-15 Thread Julien Pauli
On Fri, Jan 15, 2016 at 1:32 AM, Yasuo Ohgaki wrote: > Hi Julien, > > On Fri, Jan 15, 2016 at 9:10 AM, Yasuo Ohgaki wrote: >> >> On Fri, Jan 15, 2016 at 4:32 AM, Stanislav Malyshev >> wrote: >>> However, previous my fix (Raise

Re: [PHP-DEV] Fixing bug #68063

2016-01-15 Thread Yasuo Ohgaki
Hi Julien, On Fri, Jan 15, 2016 at 7:36 PM, Julien Pauli wrote: > > I will cherry pick it for 5.5 , as it is a fix for a security fix. Thank you. > > Is it bfb9307b2d679a91e138fd876880470ece60942b ? It's 8c37a086c78a66517967fcb809fb53297becfe42 Regards, -- Yasuo Ohgaki

Re: [PHP-DEV] Fixing bug #68063

2016-01-14 Thread Julien Pauli
On Wed, Jan 13, 2016 at 12:03 AM, Stanislav Malyshev wrote: > Hi! > >> I've disallowed empty session ID, but it wasn't a >> appropriate fix. >> >> https://bugs.php.net/bug.php?id=68063 > > Could you explain a bit more about the part where there are empty IDs > generated? You

Re: [PHP-DEV] Fixing bug #68063

2016-01-14 Thread Yasuo Ohgaki
Hi Julien, On Thu, Jan 14, 2016 at 7:21 PM, Julien Pauli wrote: > On Wed, Jan 13, 2016 at 12:03 AM, Stanislav Malyshev > wrote: >> Hi! >> >>> I've disallowed empty session ID, but it wasn't a >>> appropriate fix. >>> >>> https://bugs.php.net/bug.php?id=68063

Re: [PHP-DEV] Fixing bug #68063

2016-01-14 Thread Yasuo Ohgaki
Hi Stas, On Fri, Jan 15, 2016 at 4:32 AM, Stanislav Malyshev wrote: > >> However, previous my fix (Raise warning and return false) was wrong fix. >> Therefore, I would like to correct (Provide new session ID and continue) >> it in 5.5 also. Does this make sense? > > Yes, but

Re: [PHP-DEV] Fixing bug #68063

2016-01-14 Thread Yasuo Ohgaki
Hi Julien, On Fri, Jan 15, 2016 at 9:10 AM, Yasuo Ohgaki wrote: > > On Fri, Jan 15, 2016 at 4:32 AM, Stanislav Malyshev > wrote: >> >>> However, previous my fix (Raise warning and return false) was wrong fix. >>> Therefore, I would like to correct

Re: [PHP-DEV] Fixing bug #68063

2016-01-14 Thread Stanislav Malyshev
Hi! > However, previous my fix (Raise warning and return false) was wrong fix. > Therefore, I would like to correct (Provide new session ID and continue) > it in 5.5 also. Does this make sense? Yes, but nit sure if it's for 5.5. It's for Julian to decide, ultimately, but it doesn't look like 5.5

Re: [PHP-DEV] Fixing bug #68063

2016-01-12 Thread Yasuo Ohgaki
Hi Stas, On Wed, Jan 13, 2016 at 10:08 AM, Stanislav Malyshev wrote: >> The root cause is browser's cookie handling. >> It appears that browsers do not lock cookie while updating cookies. >> Therefore race condition happens and browsers send empty cookie >> sometimes. I

[PHP-DEV] Fixing bug #68063

2016-01-12 Thread Yasuo Ohgaki
Hi Julien, I've disallowed empty session ID, but it wasn't a appropriate fix. https://bugs.php.net/bug.php?id=68063 I made appropriate patch for this issue. It should be applied from PHP 5.5 to master. I attached patch to the bug report. Could you apply it from PHP 5.5? Or shall I commit it

Re: [PHP-DEV] Fixing bug #68063

2016-01-12 Thread Stanislav Malyshev
Hi! > I've disallowed empty session ID, but it wasn't a > appropriate fix. > > https://bugs.php.net/bug.php?id=68063 Could you explain a bit more about the part where there are empty IDs generated? You say it "is browser's cookie handling" - could you explain more about it? > I made

Re: [PHP-DEV] Fixing bug #68063

2016-01-12 Thread Stanislav Malyshev
Hi! > The root cause is browser's cookie handling. > It appears that browsers do not lock cookie while updating cookies. > Therefore race condition happens and browsers send empty cookie > sometimes. I haven't checked the code, but observed it happens. > > I observed handful empty cookies a day

Re: [PHP-DEV] Fixing bug #68063

2016-01-12 Thread Yasuo Ohgaki
Hi Stas, On Wed, Jan 13, 2016 at 8:03 AM, Stanislav Malyshev wrote: >> I've disallowed empty session ID, but it wasn't a >> appropriate fix. >> >> https://bugs.php.net/bug.php?id=68063 > > Could you explain a bit more about the part where there are empty IDs > generated? You