Hello Yasuo, On Sun, Dec 20, 2015 at 7:01 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi all, > > On Sat, Dec 19, 2015 at 7:33 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > I would like to restart better session management for PHP 7.1. > > > > https://wiki.php.net/rfc/precise_session_management > > > > Although this RFC targets PHP 7.1, new session management > > could be applied to older releases also if majority of us agree. > > Please comment. > > I would like to write patch for this next week. > If you have comment, please comment this week. > This week is hard due to several holidays, I would recommend postponing discussion until after. However, I will comment on a few things that I dislike of the RFC: Exposing the internal state of the session via a key on the session __SESSION_INTERNAL__ may be dangerous. How are you preventing writes to this area? Is an exception or error thrown? I also do not feel that it is worth encoding this directly into the session value but would be of far greater benefit to expose through functions and ensure it is not touched and protected from user land. Anything that messes with the $_SESSION can cause major issues (for instance upload progress did this and can cause session corruption in certain cases as it manipulates the session state). I fully agree that session_regenerate_id needs some additional work. Although. I do not think that the implementation here seems like the correct path as a general comment. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
