rfc:secure_serialization
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:secure_serialization [2015/12/30 20:38] – yohgaki | rfc:secure_serialization [2018/03/01 23:18] (current) – RFC is Under Discussion carusogabriel | ||
---|---|---|---|
Line 3: | Line 3: | ||
* Date: 2015-12-30 | * Date: 2015-12-30 | ||
* Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 20: | Line 20: | ||
===== Proposal ===== | ===== Proposal ===== | ||
- | * Add secure_serialize() and secure_unserialize() supports message authentication code generation/ | + | * Add serialize_mhac() and unserialize_mhac() supports message authentication code generation/ |
<code php> | <code php> | ||
- | string | + | string |
- | mixed secure_unserialize(mixed $data_to_be_unserialized , mixed $secret_keys) | + | mixed unserialize_mhac(mixed $data_to_be_unserialized , mixed $secret_keys) |
</ | </ | ||
- | ==== How secure_serialize() works ==== | + | ==== How serialize_mhac() works ==== |
Pseudo code | Pseudo code | ||
Line 69: | Line 69: | ||
- | ==== How secure_unserialize() works ==== | + | ==== How unserialize_mhac() works ==== |
Pseudo code | Pseudo code | ||
<code php> | <code php> | ||
- | function | + | function |
if (strlen($secret_key) < 32) { | if (strlen($secret_key) < 32) { | ||
trigger_error(' | trigger_error(' | ||
Line 101: | Line 101: | ||
$k); | $k); | ||
} | } | ||
+ | if ($mac !== $tmp[' | ||
+ | | ||
+ | } | ||
+ | // Unserialize data normally and return | ||
+ | return unserialize($tmp[' | ||
} | } | ||
- | | + | return FALSE; |
- | if ($mac !== $tmp[' | + | |
- | | + | |
- | } | + | |
- | // Unserialize data normally and return | + | |
- | return unserialize($tmp[' | + | |
} | } | ||
</ | </ | ||
Line 158: | Line 158: | ||
If session module stores old session ID, automatic fallback to old session ID may be supported. | If session module stores old session ID, automatic fallback to old session ID may be supported. | ||
- | Compatibility functions for older releases may be implemented as PHP script. | + | Encryption is more secure than authentication code. Implement serialize_crypt/ |
===== Proposed Voting Choices ===== | ===== Proposed Voting Choices ===== |
rfc/secure_serialization.1451507880.txt.gz · Last modified: 2017/09/22 13:28 (external edit)