Hi Lester, On Fri, Aug 12, 2016 at 5:01 PM, Lester Caine <les...@lsces.co.uk> wrote: > On 12/08/16 00:20, Yasuo Ohgaki wrote: >> I've missed to handle session.hash_bits_per_character here. There are >> people validating SID (used chars and length) via WAF or PHP code. >> session.hash_bits_per_character handling is mandatory for such system. > > Since 'id' is a variable, isn't this just a specialist constraint > applied to that variable ;) The various new hash rules follow the same > pattern. Add a domain of 'session_id' to the variable and that selects > all the right rules to handle it ... yes specialist code generating a > special variable may be more efficient, but if the framework is right > than one can simply adjust the rules on a generic variable to cater for > your own requirements?
I don't think it's framework job to do. See "User land session_create_id() is easy" section. https://wiki.php.net/rfc/session-create-id#discussions It's not easy nor task for frameworks. If framework would like to write session_create_id() "properly", framework must access session storage database. Let's say storage is memcached, then framework must open memcached connection by itself and perform session ID validation. Let's say storage is PostgreSQL, then framework must open... the same for every other C written session save handler. Clearly, it's not a task for framework, but session module. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
