Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
superasn 8 hours ago

Everytime I read one of these it always boils down to the same thing..Don't solve solved problems. And the best code in this case is code you didn't write as PHP's session handler is battle-tested but every line you write to roll your own is a line you have to secure, maintain, and eventually patch at 2am when someone finds the bug.

Session handling, auth, crypto, password hashing etc - all these are the exact areas where you should be the most allergic to rolling your own. Not because you're not smart enough, but because a simple bug like sanitizing in the wrong place and the failure is catastrophic like in this instance.

Use boring, proven, widely-audited solutions. Save your creativity for the actual problem you're solving.

bananamogul 8 hours ago | parent | next [-]

“And the best code in this case is code you didn't write as PHP's session handler is battle-tested”

cPanel is written in perl.

superasn 8 hours ago | parent [-]

Oh you're right to push back. I just love saying this nowadays :P Anyway, I haven't used these languages in a long time but the code looked like php to me, though I did notice the .pm file extension and wondered where I've seen it before.

hparadiz 3 hours ago | parent [-]

PHP has built in session handling and the ability to store them to local, in memory, RDBMS database, or you can implement SessionHandlerInterface, SessionIdInterface with your own custom class.

It's probably the most battle hardened session system ever.

shawnz 8 hours ago | parent | prev | next [-]

cPanel is 30 years old, are you saying it's not battle tested, boring, proven, and widely audited?

In fact PHP is only a few months older than it.

ryandrake 8 hours ago | parent | prev | next [-]

I don't even know why you'd want to re-implement this stuff, too. It's not exciting or sexy work. It's like time parsing, time zone handling, leap years... Why would you want to inflict that on yourself? You will 100% not handle every edge case, and you will 100% get time and time zone handling bugs.

TZubiri an hour ago | parent | prev | next [-]

But it's not the same thing every time, for example if you had written 'your own' http request you wouldn't habe been hit by the axios vuln.

If you rolled your own crypto and didn't install AF_ALG, you would have avoided copy fail.

Even in this case if you had implemented your own control panel, you wouldn't be hit.

Actually roll your own, don't add dependencies

londons_explore 3 hours ago | parent | prev [-]

I doubt the mantra of "don't roll your own Auth/crypto" - especially if it lives on a server where the code can't be inspected.

Sure, there will be more bugs in my code, but the attackers will be putting far more scrutiny into a widely used library.

Some deliberately hilariously weak auth I built decades ago is only just now starting to get broken into by AI bots, whereas any vulnerable wordpress was broken into within days.

Ekaros an hour ago | parent [-]

Thinking of use cases where services I build have reasonably low internal userbase. Maybe rolling out own is not worst choice always. After all it leads to manual or at least targeted work by attackers. Instead of very common spraying stuff randomly. So risks might in the end be lower.