Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122543 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id F00B41AD8F6 for ; Sun, 3 Mar 2024 23:27:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1709501644; bh=Hz7Zfl+2OH7IBaW5fcSTqsw6+ji+BU/Z6ZLe1KYo1/k=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=lq9nxHS6Z68y84gmqOW7WGu0YuNHpCKz7MsDhWSd/PPi70MuiwiYEO2aDgl6I//Ub WGY272SiFI5zO1h82+0UoUZQd/9XAUkg2wqzrWNx4wPUakN/7PNnYwUOhZURDgQ00f WKS458M3f7IbaKNl+Yo/3DOrUFQC5M+oEep9obzOtplaY4gUj5970KcqKyNcoarKiu sBn/STyz/X41EiTVpx57N6tTMENqMmZAFuTmXM5rqIUOZNY145PCd181QYY6fkYybz aEZ8oqXzGo0uZTNYYtkgpGa/0+JaAKVXiuAtES8pAxoxt8QlDulgSZccYh+qpOl1jk 9EXATcXSVjwKA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 2C25418B09C for ; Sun, 3 Mar 2024 21:34:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 3 Mar 2024 21:34:01 +0000 (UTC) Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2d2991e8c12so37986921fa.0 for ; Sun, 03 Mar 2024 13:33:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709501628; x=1710106428; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Dl9Tu3N7zkSoTSrpWY7p5KsPjZeDJMPjg4ejhQXH6zw=; b=gXHRmAkdUq90Cy8C0ZD4WpDKXSxu8HtwZwklx2ODVsSwMI4glprpPPiWe+o4fH+Gau UlYPzHbzgtIdOfk7Qo52TDwWGgKCvYx+Ncg8GT7Hl65iCBq6xVpYoVh6FA7uqA2SBwq3 tBd7p2Y5Uujox3mZoK4rcucgLAZB+oEEuO1/+NfwMeruRU6dm6AwmJgl2WALLJ7TXDE/ rvYiqzeX9eP9QfnIAHdajB9arqPEL8e5jY6qqdbvBKYN2WR53stimNL8SgogTxB7Fcju EPHxcrFKg1vOKApM+TpdLLhyero3PD4yUcQeLMOyfihYrmqHmojFbDgZo+fgMyEibB0t 38Qg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709501628; x=1710106428; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Dl9Tu3N7zkSoTSrpWY7p5KsPjZeDJMPjg4ejhQXH6zw=; b=V16RqOOPukHUF2dvXGF3DEigiEaz88ciZ3/U8g9X7hC8WfABxg3fZLYAA0u9XiFHal okpVX9IapC+g9VT9Oa1XAM9ej3/CFfoYzxKkWNa2pNTaiUX40vMsT4rgaSwx2gXwcxbK R5GO+omPuuwCp66RmfhYjhUPfR4cMQ//UlvKIy74cqwTeu4tdog3tZhLOncrU2QbHy4O tZqolJf9EuKEHhzi+Z7z94KZ1Sd/8lC18yp8E3zlaeR5p2xiMvUxVnf/iBkDJ6nR3hHc RxKgpPBgNL609LoXfCdbTm6ijxBjsIY30BXkBZ62M0Et6/tB7WRCphxaHtCWr2QFE71G BJMw== X-Gm-Message-State: AOJu0YyLC3L+LVmcxfKdiJckA3ql50+wpn9m/om865JMqGigCDU/3ksO 1qglQ8+G38Bi8TRP0QgYMgzt7trUuQhFcXbDsFajZykQoHuEIfDNh8bWKY5w+oWRJ5FeDbZRiGT 1NVgD90QaqbadvVi+H0aUtl7ntHAqxWLoPDxOeg== X-Google-Smtp-Source: AGHT+IHyTdOQB6Pq8Op/A2v8JmWuF4+4YV8Lwnty1rFdQUWVhx70dNdz1z9QZUXH51az6L/em//KYHIBIgID7Evnk/I= X-Received: by 2002:a2e:94d7:0:b0:2d3:a45c:4390 with SMTP id r23-20020a2e94d7000000b002d3a45c4390mr651459ljh.5.1709501628235; Sun, 03 Mar 2024 13:33:48 -0800 (PST) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 References: In-Reply-To: Date: Sun, 3 Mar 2024 22:33:37 +0100 Message-ID: Subject: Re: [PHP-DEV] [RFC] [Discussion] Deprecate GET/POST sessions To: PHP internals Cc: arokettu@outlook.com Content-Type: text/plain; charset="UTF-8" From: tekiela246@gmail.com (Kamil Tekiela) Hi Anton, > As I know some session-related middlewares force custom-only session_id > handling by setting > > use_cookies = Off > use_only_cookies = On > > and then using session_id(...) directly > > Example: > https://github.com/middlewares/php-session/blob/master/src/PhpSession.php#L137 I was not aware that some frameworks do that. But I don't understand how this works. IMHO if you disable the use of cookies, but you also tell PHP to use only cookies it creates an impossible scenario. Isn't that right? The way I understand it is that there are 2 ways of propagating session ID: cookies and GET/POST. You can tell PHP to use both or either one of them, but not neither. Only cookies: use_only_cookies = On use_cookies = On Only GET/POST: use_only_cookies = Off use_cookies = Off Both: use_only_cookies = Off use_cookies = On The remaining 4th combination should create an impossible scenario. Does it mean to use neither option? I can change the proposal to deprecate only use_only_cookies=Off and session.use_trans_sid=On and leave session.use_cookies alone, but I just can't think of a situation when leaving that setting in PHP would make sense. I am probably missing something very important and I would appreciate it if someone could explain to me what it is. I wouldn't want to deprecate something that is used in popular frameworks.