---------- Forwarded message --------- From: Anton Smirnov <aroke...@outlook.com> Date: Sun, 3 Mar 2024 at 19:56 Subject: Re: [PHP-DEV] [RFC] [Discussion] Deprecate GET/POST sessions To: Kamil Tekiela <tekiela...@gmail.com>
Greetings! I'm sorry for addressing you directly, if you can forward this message to internals I'd be grateful. It seems outlook is still banned and I can't re-subscribe with any other email (tried outlook, gmail, vivaldi and a small private service) On 02/03/2024 23:10, Kamil Tekiela wrote: > Hi Internals, > > I would like to start a discussion on a new RFC > https://wiki.php.net/rfc/deprecate-get-post-sessions > > Please let me know whether the idea is clear and the RFC is understandable. > > In particular, I am looking for any feedback as to why this is a bad > idea. The primary motivation behind this RFC is to reduce potential > security pitfalls. > > Regards, > Kamil Tekiela Greetings! As I know some session-related middlewares force custom-only session_id handling by setting use_cookies = Off use_only_cookies = On and then using session_id(...) directly Example: https://github.com/middlewares/php-session/blob/master/src/PhpSession.php#L137 I think if you're making this hack impossible, you should provide an alternative non-hackish way to do this. Maybe just keep use_cookies = Off A wild idea: 1) Add a temporary config # by default; current behavior; # throws a deprecation right from the introduction cookies.use_post_get = On # do not set the session from POST and GET cookies.use_post_get = Off Remove it in 9 with the rest 2) keep use_cookies in PHP 9 with the updated meaning I don't think it's a good solution but maybe it can spark a better one Best, Anton
