Hi Ferenc,
2011/12/2 Ferenc Kovacs <[email protected]>:
>
> wouldn't it be better if we push the session id validation to the
> application level?
> we should provide a hook both to the C api and to
> the session_set_save_handler.
> of course we can additionally change the default range of valid characters
> for the default session handler implementation, but it would still possible
> for the application developer to change or extend that.
>
It's possible with session_set_save_handler(), but users should
implement all save handlers. session_set_save_handler() could be
modified just to add validation function and choose any chars except
chars invalidated by php_session_initialize()
/* check session name for invalid characters */
if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
efree(PS(id));
PS(id) = NULL;
}
For example, we may do
bool session_set_save_handler(SESSION_SET_VALIDATE_ID,
"my_validation_id_function");
There are many possible implementations.
Any comments?
Regards,
--
Yasuo Ohgaki
[email protected]
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
