Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122547 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id A55911AD8F6 for ; Mon, 4 Mar 2024 16:25:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1709500495; bh=SuLJbtxX0y+XOnb1A9/OxybLvmFTJkwL9xEZ6ymjm5o=; h=References:In-Reply-To:From:Date:Subject:To:From; b=Zx2xayKYax9wff/LCb09y+GHbAfAd1VaCeRR68Q24diNDluvqPhKqcfrSi7551Uyc xouKpCq1EouflHjkKl3fxqpqCLwsTTp4gn28AldKAtoD/MzkRPBOTY9jahKnDP2eh1 XURFul1a7NtdpSB61VTc8inAykLUPH+WaseczqGqM7139gGJtNdPlGQDR+aYO8RxIT CA1j6MG3LVqOkSkPMYOh5+LXUpm/SHCsoxWaYPISLbSTKug6JIgsJv0yWV5Shclg7w aLldt2QU2OL/EILjt7WaRr/VMZIdxmhLrpxSQZuoCWvVqQi0DcuyFSGSi641VfDlrO Migj6+zGGDtvw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 2395118B08C for ; Sun, 3 Mar 2024 21:14:52 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sun, 3 Mar 2024 21:14:51 +0000 (UTC) Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-2d27fef509eso52971461fa.3 for ; Sun, 03 Mar 2024 13:14:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709500478; x=1710105278; darn=lists.php.net; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=AZTW/qLxDIhLkyJKQFeaI3CS2EW6QFvPDaUPIgkpBGw=; b=A8thlxglQuhKCfUDl5yzr6HqUcjomcFT0MqroFWAcaHZgcGkRcoX/tVnl5nCsKG/uu 8ppKAYQAKbp6Ec4/1LoWyPw/mRoorG+0jwxwUxWHDIBUJWWG4IHjba/8B6Y3X6hZu54u HZOGBe6siOm3T+M1TRiYuMjFWzgKi8EYu4iIb9STHexCFAvAP19Ua2dOmA8CMUFWakbq 9Ph8E39HbvMPnR7NHechMsO9k41K6iLiLzNqq+2EGDKQyVjJID+qztSl+6aGK0ebp2ZD lZ30OTP7dydgVjlsknugP1NQWgk+Q+L24FYx20+GDntCdt9OjG0Ti3B5AvN4Ho9xU+OP LPZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709500478; x=1710105278; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AZTW/qLxDIhLkyJKQFeaI3CS2EW6QFvPDaUPIgkpBGw=; b=NdlJXAH/za3PpRb6LbUQB/K3XPFIBbMt7ND2B7cxPV6r6X1f/cIYbO6BWVSLxqd3rw h84+EjeFED8WGTBQE6BYO5l0m45npFXyDGM/tJv4zPvubwHK8xRcmAPC+S0EgoQXatOX OPXOq9a6pkZNvhO05yiXqevWdd5wy6HzwmSC427MJ4ABw9kbDsIdZMPW3oAvhtEgpG9T IaHHXIBhBtlMNHbIuZI+mKrM3JOUhfzJ39w9uEYXwYgRBX8ENGYk3s818X63GMMme0iI 5JVOqhnfreXCJToXxu39XhWY3kosDNvP4uAa9G75xLRRlez/82X2oGhqZTV/tgqDVEbS zR6g== X-Gm-Message-State: AOJu0YxkfoD4dYMZapuMp+E4HIDhEH2Ye66/+TIV3c6HFt+7GG0FA/JQ CvAWlE85oud9FOLUGA2iOVE5cHfYrF5Mb5rbQDwAyA1xIZV9aDgXAV3esxOwE4sz8iUDY+QcqTb TjCbdep7ecT/pB4mQKFu8gb7Udn8tmE1FInclrA== X-Google-Smtp-Source: AGHT+IFFkxNHOfl25xSnthw4Lzoduh6vqwcREuHP16wDFqYXnAs+Q6OSnvP4tZoQMj+kh7u7MHsW0jsJK86p0QQCuv8= X-Received: by 2002:a05:651c:b08:b0:2d3:b971:b301 with SMTP id b8-20020a05651c0b0800b002d3b971b301mr964150ljr.11.1709500477420; Sun, 03 Mar 2024 13:14:37 -0800 (PST) Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 References: In-Reply-To: Date: Sun, 3 Mar 2024 22:14:24 +0100 Message-ID: Subject: Re: [PHP-DEV] [RFC] [Discussion] Deprecate GET/POST sessions To: PHP internals Content-Type: text/plain; charset="UTF-8" From: tekiela246@gmail.com (Kamil Tekiela) ---------- Forwarded message --------- From: Anton Smirnov Date: Sun, 3 Mar 2024 at 19:56 Subject: Re: [PHP-DEV] [RFC] [Discussion] Deprecate GET/POST sessions To: Kamil Tekiela Greetings! I'm sorry for addressing you directly, if you can forward this message to internals I'd be grateful. It seems outlook is still banned and I can't re-subscribe with any other email (tried outlook, gmail, vivaldi and a small private service) On 02/03/2024 23:10, Kamil Tekiela wrote: > Hi Internals, > > I would like to start a discussion on a new RFC > https://wiki.php.net/rfc/deprecate-get-post-sessions > > Please let me know whether the idea is clear and the RFC is understandable. > > In particular, I am looking for any feedback as to why this is a bad > idea. The primary motivation behind this RFC is to reduce potential > security pitfalls. > > Regards, > Kamil Tekiela Greetings! As I know some session-related middlewares force custom-only session_id handling by setting use_cookies = Off use_only_cookies = On and then using session_id(...) directly Example: https://github.com/middlewares/php-session/blob/master/src/PhpSession.php#L137 I think if you're making this hack impossible, you should provide an alternative non-hackish way to do this. Maybe just keep use_cookies = Off A wild idea: 1) Add a temporary config # by default; current behavior; # throws a deprecation right from the introduction cookies.use_post_get = On # do not set the session from POST and GET cookies.use_post_get = Off Remove it in 9 with the rest 2) keep use_cookies in PHP 9 with the updated meaning I don't think it's a good solution but maybe it can spark a better one Best, Anton