Re: [RFC] Secure Session Module Options by Default

From:	Yasuo Ohgaki	Date:	Mon, 12 May 2014 08:13:33 +0000
Subject:	Re: [RFC] Secure Session Module Options by Default
References:	1 2 3 4 5 6 7 8 9 10 11 12	Groups:	php.internals
Request:	Send a blank email to internals+get-74127@lists.php.net to get a copy of this message

Hi all,

On Fri, Apr 4, 2014 at 6:14 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Sure.
> These are simple changes for better session security.
> I have to update RFC so that everyone understand side effects of
> these changes.
>
> hash_bits_per_characters may stay the same and additional char to
> files save handler could be added simply.
> I'll update the RFC weekend, hopefully.
>

I updated the RFC. Sorry, it took so long.
I modified the RFC so that it only proposes INI value changes.
i.e. Removed behavior modifications "hash function fall back" and
"session ID collision detection in session module rather than save handler".

https://wiki.php.net/rfc/secure-session-options-by-default

Which version should include these?

Any comments?

--
Yasuo Ohgaki
yohgaki@ohgaki.net


   

Thread (30 messages)

• Yasuo OhgakiSat, 01 Feb 2014 22:33:37 +0000
  • Stas MalyshevSat, 01 Feb 2014 22:52:56 +0000
    • Yasuo OhgakiSat, 01 Feb 2014 23:59:59 +0000
      • Yasuo OhgakiSun, 02 Feb 2014 00:06:54 +0000
      • Stas MalyshevSun, 02 Feb 2014 07:14:04 +0000
        • Yasuo OhgakiSun, 02 Feb 2014 09:50:17 +0000
          • Yasuo OhgakiSun, 02 Feb 2014 09:51:51 +0000
          • Stas MalyshevSun, 02 Feb 2014 10:25:50 +0000
            • Yasuo OhgakiMon, 03 Feb 2014 02:08:28 +0000
              • Stas MalyshevMon, 03 Feb 2014 08:23:22 +0000
                • Yasuo OhgakiMon, 03 Feb 2014 10:35:26 +0000
                  • Pierre JoyeMon, 03 Feb 2014 10:43:22 +0000
                    • Yasuo OhgakiMon, 03 Feb 2014 10:47:59 +0000
                  • Lester CaineMon, 03 Feb 2014 11:02:09 +0000
  • Yasuo OhgakiSun, 02 Feb 2014 06:50:03 +0000Re: [RFC] Secure Session Module Options by Default
  • Yasuo OhgakiThu, 06 Feb 2014 06:15:11 +0000Re: [RFC] Secure Session Module Options by Default
    • Yasuo OhgakiThu, 06 Feb 2014 06:26:10 +0000
• Andrey AndreevMon, 03 Feb 2014 07:31:28 +0000Re: [RFC] Secure Session Module Options by Default
  • Yasuo OhgakiMon, 03 Feb 2014 10:18:46 +0000
    • Andrey AndreevMon, 03 Feb 2014 10:54:01 +0000
      • Yasuo OhgakiMon, 03 Feb 2014 21:48:17 +0000
        • Andrey AndreevMon, 03 Feb 2014 22:29:52 +0000
          • Yasuo OhgakiMon, 03 Feb 2014 23:05:06 +0000
            • Andrey AndreevTue, 04 Feb 2014 12:59:33 +0000
              • Yasuo OhgakiWed, 05 Feb 2014 00:13:42 +0000
                • Andrey AndreevWed, 05 Feb 2014 20:00:52 +0000
                  • Yasuo OhgakiWed, 05 Feb 2014 21:58:44 +0000
                    • Andrey AndreevThu, 03 Apr 2014 09:31:58 +0000
                      • Yasuo OhgakiFri, 04 Apr 2014 09:14:07 +0000
                        • Yasuo OhgakiMon, 12 May 2014 08:13:33 +0000