Re: [RFC] Secure Session Module Options by Default
Hi!
> I see some users are generating unsafe session ID. Purpose of change is
> not to generate insecure ID when user want some prefix in session ID.
What's "insecure session ID" and how it is related to the matter we are
discussing?
> Yes.
> Currently, if 'foo' is not there already, session_id('foo') does not set
> session ID, but creates new random session ID when use_strice_mode=on.
>
> string session_id(string $prefix_or_id [, bool $use_prefix=FALSE]);
>
> $use_prefix=TRUE will bypass use_strict_mode=on.
I still don't understand what use_prefix has to do with secure session
and why use_prefix would bypass strict mode. Something is missing here
for me. Could you give some more detailed explanation of what you're
trying to do here?
> As discussed in other thread, mcrypt_create_iv() is good one, but
> it has some limitations. That's the reason why I think it would be
> better to have function that generates secure random ID some how.
We have two functions that generate random sequences - one in openssl
and one in mcrypt. Why we need a third one?
> Anyway, it is time to compile openssl module by default. IMHO.
Why we must control what the user compiles? The users that know what
they're doing will compile it anyway, the users that don't will use
distros which couldn't care less about our defaults and build all
extensions separately anyway. I don't see which problem you're trying to
fix here.
> It makes security a lot simpler/easier for both users and internal
> developers.
What exactly is hard now but becomes easier? Typing --with-openssl is
not hard.
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Thread (30 messages)