Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122551 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id C85351AD8F6 for ; Mon, 4 Mar 2024 17:04:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1709569296; bh=sFRCTn0DzvphweTN2+9mehGJ0xaOseqriFlarbeMDbY=; h=Date:Subject:To:References:From:In-Reply-To:From; b=IPeaqtxwSyKk0AFEiN1RQnTOYsqxOAHxaflSY8ZzTVttkywYr5tYAskyJLEGSv+Ry U/Y346+sQy2O1UtMNYC3L8xKiI388pT2WBdIOv8MtCmpSbXoqSwB5DOb9bhBEYy0v5 TYJAndos/UDUAHeijjt55AQ2/MJav9kEapw0V/BQ/vnddQ88pnMh7fbrSCdIObIaht R22O7L9ZEgNY/gfzDnx1dh/NcLuNkOCmEWzMCX1tL4T3pWgPGdIch1mtGhevxPXuYh H6kjDDMzxXyp8z6FQjMi8dUVBzt1ic1X9zx4NLXQJQWfXI1LUTj7Y631vV+YJQC1Jj 6W8YbKUVkgG7Q== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 7A8E5181F47 for ; Mon, 4 Mar 2024 16:21:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,RCVD_IN_DNSWL_LOW, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from smtp.vivaldi.net (smtp.vivaldi.net [31.209.137.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 4 Mar 2024 16:21:34 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.vivaldi.net (Postfix) with ESMTP id 120CDBD418 for ; Mon, 4 Mar 2024 16:21:21 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.vivaldi.net 120CDBD418 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vivaldi.net; s=default; t=1709569281; bh=8IxnJCRXcc9x2d5yCBWWpXrkANJpmhbrP71ohbFI71I=; h=Date:Subject:To:References:From:In-Reply-To:From; b=thMe4DZXCxasa+OP+QaaasN9nuSzCwzFMHvsy1YCsxm4RN/SnyoVV7+H8ydQk7qpf LuDCacJFrmT510ZJxdrsYM/liW2nc5y+9tro6l4AByOSYxHm8Xl3Tq94ZvQxiTERYl n36MgpeGffeucfdt9YCl8G3uVa5KiaQgo1N/UJ6VnfatLIwm6PfYyzIR+wXBUMj+/Y faye/pcKYMUpL3VhIp7jX2hL84MAk3Xx+RgmycmH2ljhddbGzDN21/b08L9opED1fc iCNwKQ7iVar3IB1DHw1JGURywsqXDaDcIx/fbumj8zG5HilJs4Y9NFSbytyYuvSTG7 5WRo60/8GtOIw== X-Virus-Scanned: Debian amavisd-new at smtp.vivaldi.net Received: from smtp.vivaldi.net ([127.0.0.1]) by localhost (mxo.viv.dc01 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WH3hmmRA4T38 for ; Mon, 4 Mar 2024 16:21:17 +0000 (UTC) Message-ID: <93d8b10f-76d7-458f-b85a-f28ae934445d@vivaldi.net> DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.vivaldi.net 2F61CBD350 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vivaldi.net; s=default; t=1709569277; bh=8IxnJCRXcc9x2d5yCBWWpXrkANJpmhbrP71ohbFI71I=; h=Date:Subject:To:References:From:In-Reply-To:From; b=HE6meVlCsZcmZ9Fe0HgiQ1ZINfQ9hsFIrupPaYJVVAjQfqCERnstujaVbWZGO4MMy eUw0VXe73yl2Z1ICRMT7JiaIR4bby2rCX3b8DhYWqJMX7aePj3C47k7y0mCcKFGIEF A+vxaUwsJtIxoqGC1YzZQQggmOVTtmnbkOcPcCqKZWjgmJryD/eZIdFl0dRz/BJP2K uYmcyTd7/BAjgFtlPAF5OS9mSm2JiT2etJxAJwK/EFADA16wFZTLp7vjJ/Ymj/hklj Ie9Yehyc2OUeFP2N2DwWnGaDvZ7EjCSlHFLG/FzQ9Anaf0yvUlVUle0YcK3uRyeHC6 O2/wXNda9DeiA== Date: Mon, 4 Mar 2024 18:21:16 +0200 User-Agent: Mozilla Thunderbird Subject: Re: [PHP-DEV] [RFC] [Discussion] Deprecate GET/POST sessions Content-Language: en-US To: PHP internals References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net From: sandfox@vivaldi.net (Anton Smirnov) On 03/03/2024 23:33, Kamil Tekiela wrote: > Hi Anton, > >> As I know some session-related middlewares force custom-only session_id >> handling by setting >> >> use_cookies = Off >> use_only_cookies = On >> >> and then using session_id(...) directly >> >> Example: >> https://github.com/middlewares/php-session/blob/master/src/PhpSession.php#L137 > > I was not aware that some frameworks do that. But I don't understand > how this works. IMHO if you disable the use of cookies, but you also > tell PHP to use only cookies it creates an impossible scenario. Isn't > that right? > > The way I understand it is that there are 2 ways of propagating > session ID: cookies and GET/POST. You can tell PHP to use both or > either one of them, but not neither. > > Only cookies: > use_only_cookies = On > use_cookies = On > > Only GET/POST: > use_only_cookies = Off > use_cookies = Off > > Both: > use_only_cookies = Off > use_cookies = On > > The remaining 4th combination should create an impossible scenario. > Does it mean to use neither option? > > I can change the proposal to deprecate only use_only_cookies=Off and > session.use_trans_sid=On and leave session.use_cookies alone, but I > just can't think of a situation when leaving that setting in PHP would > make sense. > > I am probably missing something very important and I would appreciate > it if someone could explain to me what it is. I wouldn't want to > deprecate something that is used in popular frameworks. Hi Kamil The remaining 4th combination creates the situation when session creation is always a responsibility of the userland code. (by using session_id($id)) In the link I provided it is done by PSR-7/15 purists that think that only the request emitter should handle headers, not PHP itself and it includes cookie headers. For non-purists it is still a useful scenario, for example it allowed to use SameSite attribute on a session cookie before PHP 7.3