Re: Session Id Collisions

From:	Yasuo Ohgaki	Date:	Mon, 05 Aug 2013 09:50:16 +0000
Subject:	Re: Session Id Collisions
References:	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16	Groups:	php.internals
Request:	Send a blank email to internals+get-68373@lists.php.net to get a copy of this message

Hi Arpad,

On Mon, Aug 5, 2013 at 6:22 PM, Arpad Ray <arraypad@gmail.com> wrote:

> I thought we were in agreement about doing this properly in PHP.next? My
> arguments against this version of the patch still stand:


We had long discussion and decided to apply maintained branches
as security enhancement more than a year ago. We also planned to
apply the patch into 5.3 originally, but 5.3 is security fix only now.

Anyway, if users are resetting session id properly, they are protected
against session adoption attacks. However, users are not protect their
apps properly, then they are at the risk of session adoption. This fix is
rather important for PHP, since there are many setups that share
PHP with many apps. That's the reason why we decided to apply
this patch into maintained branches.

PHP web server admins should feel much safer than before with this
feature.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net


   

Thread (37 messages)

• Raymond IrvingThu, 23 Aug 2012 04:48:12 +0000
  • Rasmus LerdorfThu, 23 Aug 2012 15:03:32 +0000
    • Raymond IrvingThu, 23 Aug 2012 15:26:14 +0000
      • Sherif RamadanThu, 23 Aug 2012 15:53:28 +0000
        • Yasuo OhgakiSat, 25 Aug 2012 02:47:16 +0000
          • Ferenc KovacsSat, 25 Aug 2012 16:40:05 +0000
            • Yasuo OhgakiSat, 25 Aug 2012 22:02:29 +0000
              • Stas MalyshevSun, 26 Aug 2012 08:57:30 +0000
                • Yasuo OhgakiSun, 26 Aug 2012 20:49:20 +0000
          • Stas MalyshevSun, 26 Aug 2012 07:37:45 +0000
            • Yasuo OhgakiSun, 26 Aug 2012 20:55:40 +0000
              • Stas MalyshevSun, 26 Aug 2012 21:30:29 +0000
                • Yasuo OhgakiSun, 26 Aug 2012 21:33:25 +0000
              • Yasuo OhgakiSun, 26 Aug 2012 21:31:25 +0000
                • Stas MalyshevSun, 26 Aug 2012 21:35:06 +0000
                  • Yasuo OhgakiSun, 26 Aug 2012 21:36:52 +0000
                    • Yasuo OhgakiMon, 24 Dec 2012 06:32:17 +0000
                      • Yasuo OhgakiThu, 27 Jun 2013 00:36:24 +0000
                        • Arpad RayThu, 27 Jun 2013 09:02:53 +0000
                          • Yasuo OhgakiThu, 27 Jun 2013 10:51:42 +0000
                        • Stas MalyshevMon, 05 Aug 2013 00:15:43 +0000
                          • Stas MalyshevMon, 05 Aug 2013 00:45:30 +0000
                            • Yasuo OhgakiMon, 05 Aug 2013 01:01:31 +0000
                              • Arpad RayMon, 05 Aug 2013 09:22:45 +0000
                                • Yasuo OhgakiMon, 05 Aug 2013 09:50:16 +0000
                                  • Arpad RayMon, 05 Aug 2013 10:05:15 +0000
                                    • Yasuo OhgakiMon, 05 Aug 2013 10:10:14 +0000
                                      • Arpad RayMon, 05 Aug 2013 10:26:58 +0000
                                        • Yasuo OhgakiMon, 05 Aug 2013 10:38:42 +0000
                                          • Arpad RayMon, 05 Aug 2013 16:04:53 +0000
                                            • Yasuo OhgakiMon, 05 Aug 2013 18:46:51 +0000
                                              • Arpad RayMon, 05 Aug 2013 19:17:10 +0000
                                                • Stas MalyshevMon, 05 Aug 2013 19:23:33 +0000
                                                  • Arpad RayMon, 05 Aug 2013 19:33:35 +0000
                                                    • Yasuo OhgakiMon, 05 Aug 2013 19:57:40 +0000
                                                • Yasuo OhgakiMon, 05 Aug 2013 19:41:29 +0000
                      • Stas MalyshevFri, 28 Jun 2013 21:06:59 +0000