Just wanted to let you know I voted no because of the BC breaking change to the INI options that could easily break many custom session handlers — any session handler that stores the sessions in a fixed-width column will be broken.
I'm fine changing the defaults in the php.ini-*, but not changing the defaults in the code. Also, documenting the better values as recommended. Putting my RM hat on, I'm not comfortable merging this in 7.1 with an unnecessary BC breaking change. Changing the default is the BC break, regardless of the _ability_ to change the settings back to the previous values. On Sat, Jul 23, 2016 at 9:50 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi all, > > Due to a defect in the RFC, vote is reopened for a week. Removed lines > are indicated by <del></del>. No additional lines nor modifications > other than removed lines for session.use_strict_mode change. > Sorry for the confusion! > > ============ > > Currently session module uses obsolete MD5 for session ID. With > CSPRNG, hashing is redundant and needless. It adds hash module > dependency and inefficient (There is no reason to use hash for CSPRNG > generated bytes). > > This proposal cleans up session code by removing hash. > > https://wiki.php.net/rfc/session-id-without-hashing > > I set vote requires 2/3 support. > Please describe the reason why when you against this RFC. Reasons are > important for improvements! > > Thank you! > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >
