Hi Leigh,
One more additional info.
On Fri, Aug 12, 2016 at 7:58 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> IMHO, mandatory API should be in PHP even if it's easy to implement
> and basic API should be in PHP unless it is too easy to be implemented
> userland.
Session SID validation function should be mandatory for user defined
save handlers. Unless we have ready to use session_create_id(), they
have to implement by themselves. Requiring something like
function session_create_id(string $prefix)
{
$encoded = base64_encode(ini_get('session.sid_length')*2);
// Use same charset as PHP
$sid = substr(rtrim(strtr($encoded, '+/', ',-'), '='), 0,
ini_get('session.sid_length');
$sid .= $prefix;
// Now validate SID so that it does not have collisions
when session is active, connect to database and validate SID
try to fetch sid
if sid is there
try again to generate SID few times
if SID validation failed
fatal error
return safe SID
when session is inactive
return unvalidated SID
}
is not good API design, IMHO.
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
