On Fri, Jan 15, 2016 at 1:32 AM, Yasuo Ohgaki wrote:
> Hi Julien,
>
> On Fri, Jan 15, 2016 at 9:10 AM, Yasuo Ohgaki wrote:
>>
>> On Fri, Jan 15, 2016 at 4:32 AM, Stanislav Malyshev
>> wrote:
>>>
However, previous my fix (Raise
Hi Julien,
On Fri, Jan 15, 2016 at 7:36 PM, Julien Pauli wrote:
>
> I will cherry pick it for 5.5 , as it is a fix for a security fix.
Thank you.
>
> Is it bfb9307b2d679a91e138fd876880470ece60942b ?
It's 8c37a086c78a66517967fcb809fb53297becfe42
Regards,
--
Yasuo Ohgaki
On Wed, Jan 13, 2016 at 12:03 AM, Stanislav Malyshev
wrote:
> Hi!
>
>> I've disallowed empty session ID, but it wasn't a
>> appropriate fix.
>>
>> https://bugs.php.net/bug.php?id=68063
>
> Could you explain a bit more about the part where there are empty IDs
> generated? You
Hi Julien,
On Thu, Jan 14, 2016 at 7:21 PM, Julien Pauli wrote:
> On Wed, Jan 13, 2016 at 12:03 AM, Stanislav Malyshev
> wrote:
>> Hi!
>>
>>> I've disallowed empty session ID, but it wasn't a
>>> appropriate fix.
>>>
>>> https://bugs.php.net/bug.php?id=68063
Hi Stas,
On Fri, Jan 15, 2016 at 4:32 AM, Stanislav Malyshev wrote:
>
>> However, previous my fix (Raise warning and return false) was wrong fix.
>> Therefore, I would like to correct (Provide new session ID and continue)
>> it in 5.5 also. Does this make sense?
>
> Yes, but
Hi Julien,
On Fri, Jan 15, 2016 at 9:10 AM, Yasuo Ohgaki wrote:
>
> On Fri, Jan 15, 2016 at 4:32 AM, Stanislav Malyshev
> wrote:
>>
>>> However, previous my fix (Raise warning and return false) was wrong fix.
>>> Therefore, I would like to correct
Hi!
> However, previous my fix (Raise warning and return false) was wrong fix.
> Therefore, I would like to correct (Provide new session ID and continue)
> it in 5.5 also. Does this make sense?
Yes, but nit sure if it's for 5.5. It's for Julian to decide,
ultimately, but it doesn't look like 5.5
Hi Stas,
On Wed, Jan 13, 2016 at 10:08 AM, Stanislav Malyshev
wrote:
>> The root cause is browser's cookie handling.
>> It appears that browsers do not lock cookie while updating cookies.
>> Therefore race condition happens and browsers send empty cookie
>> sometimes. I
Hi Julien,
I've disallowed empty session ID, but it wasn't a
appropriate fix.
https://bugs.php.net/bug.php?id=68063
I made appropriate patch for this issue. It should be
applied from PHP 5.5 to master. I attached patch to
the bug report. Could you apply it from PHP 5.5? Or
shall I commit it
Hi!
> I've disallowed empty session ID, but it wasn't a
> appropriate fix.
>
> https://bugs.php.net/bug.php?id=68063
Could you explain a bit more about the part where there are empty IDs
generated? You say it "is browser's cookie handling" - could you explain
more about it?
> I made
Hi!
> The root cause is browser's cookie handling.
> It appears that browsers do not lock cookie while updating cookies.
> Therefore race condition happens and browsers send empty cookie
> sometimes. I haven't checked the code, but observed it happens.
>
> I observed handful empty cookies a day
Hi Stas,
On Wed, Jan 13, 2016 at 8:03 AM, Stanislav Malyshev wrote:
>> I've disallowed empty session ID, but it wasn't a
>> appropriate fix.
>>
>> https://bugs.php.net/bug.php?id=68063
>
> Could you explain a bit more about the part where there are empty IDs
> generated? You
12 matches
Mail list logo