Re: [RFC] [Discussion] Secure session_regenerate_id()

From:	Yasuo Ohgaki	Date:	Thu, 20 Mar 2014 08:30:36 +0000
Subject:	Re: [RFC] [Discussion] Secure session_regenerate_id()
References:	1 2 3 4 5 6	Groups:	php.internals
Request:	Send a blank email to internals+get-73324@lists.php.net to get a copy of this message

Hi Mateusz,

On Thu, Mar 20, 2014 at 5:23 PM, Mateusz Kocielski <shm@digitalsun.pl>wrote:

> > > I agree. But we've got more factors here, it's not a simple tool for
> > > detection
> > > of crimes. If we let "old session" live for x secs, what will happen to
> > > changes done to the old session? How do you want to resolve that? We
> should
> > > find a balance between complexity and security.
> > >
> > >
> > Currently we have poor mitigation. My proposal provides better
> mitigation.
>
> I still don't see how you want to handle inconsistency between sessions. It
> seems that your RFC silently ignores that issue.


I'm not sure which inconsistency. Could you specify/describe it?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net


   

Thread (23 messages)

• Yasuo OhgakiWed, 19 Mar 2014 07:12:54 +0000
  • Mateusz KocielskiWed, 19 Mar 2014 08:02:29 +0000
    • Yasuo OhgakiWed, 19 Mar 2014 08:50:28 +0000
      • Mateusz KocielskiWed, 19 Mar 2014 11:11:31 +0000
        • Yasuo OhgakiWed, 19 Mar 2014 18:33:09 +0000
          • Mateusz KocielskiThu, 20 Mar 2014 08:23:46 +0000
            • Yasuo OhgakiThu, 20 Mar 2014 08:30:36 +0000
              • Mateusz KocielskiThu, 20 Mar 2014 09:13:26 +0000
                • Yasuo OhgakiThu, 20 Mar 2014 09:19:49 +0000
                  • Andrey AndreevThu, 20 Mar 2014 09:26:13 +0000
                    • Mateusz KocielskiThu, 20 Mar 2014 09:49:13 +0000
                      • Andrey AndreevThu, 20 Mar 2014 10:04:23 +0000
                        • Mateusz KocielskiThu, 20 Mar 2014 10:15:07 +0000
                  • Yasuo OhgakiThu, 20 Mar 2014 09:26:31 +0000
  • Stas MalyshevWed, 19 Mar 2014 18:35:40 +0000
    • Yasuo OhgakiWed, 19 Mar 2014 19:32:41 +0000
      • Stas MalyshevThu, 20 Mar 2014 01:26:29 +0000
        • Yasuo OhgakiThu, 20 Mar 2014 03:07:53 +0000
          • Pierre JoyeThu, 20 Mar 2014 04:02:40 +0000
            • Yasuo OhgakiThu, 20 Mar 2014 08:28:03 +0000
              • Andrey AndreevThu, 20 Mar 2014 08:55:13 +0000
              • Stas MalyshevThu, 20 Mar 2014 19:57:35 +0000
                • Yasuo OhgakiThu, 20 Mar 2014 22:28:57 +0000