Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122636 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 00E261AD8F6 for ; Thu, 14 Mar 2024 10:24:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1710411877; bh=O5AzparjbRB5i3kmle543JzY1Uh9TxvQgebBQmxzOrE=; h=Date:From:To:Subject:In-Reply-To:References:From; b=XMFRRbRxpZs5ihUQDVcipbwnTSVR1o5g0IhqiIKpdkQExMqBqs+ClLzke8UJbGiM7 sIRr2EzMwU6bG76nE3zc3EZwFUVguqh2xE9CglpmMOdTegjT3e2chmrvB5FZrolraM +IOL9ICZMPwHGTiX3Tk+QPxaOTpBMNe/OTwUz1c+OAn/VE9zIxGjy6yArsWJTz/9gQ /0rUQL7D6r343BI9tW/XunYBqhGdk9X0UMgC8tp5YdWntdeF3Ze5fgQhEBrCpbiVq6 0ZcNxIitktz3SacbC+jb1khHj3q01Zk0i5RW+qCj9beOXQyLlELsjVoI3PlFjpmvnN N7YLzCc0iE3Kg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8AAC318004F for ; Thu, 14 Mar 2024 10:24:36 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail04.x-net.at (mail04.x-net.at [83.65.7.57]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 14 Mar 2024 10:24:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail04.x-net.at (Postfix) with ESMTP id 082116025D for ; Thu, 14 Mar 2024 11:24:16 +0100 (CET) Received: from mail04.x-net.at ([127.0.0.1]) by localhost (x-zimbra04.x [127.0.0.1]) (amavis, port 10032) with ESMTP id 2yMKr511ZDGa for ; Thu, 14 Mar 2024 11:24:15 +0100 (CET) X-Virus-Scanned: amavis at x-zimbra04.x X-Virus-Scanned: amavis at x-t.at DKIM-Filter: OpenDKIM Filter v2.10.3 mail02.x-net.at C868838058B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dafert.at; s=36750624-FFB8-11ED-A31F-F74EAB1B2BED; t=1710411851; bh=Pc3utgiQPe9oQPzEEZ/ldIHdFcyUcm7cmsaYZTFmDA8=; h=Date:From:To:Message-ID:MIME-Version; b=eouzHzRk7d0HrPtC+uyTc1bxHYH0LjT32FAKz1yFSFlT6RyFBnCmIROAAo3Vb/UoZ V8x9OSrcDjtRPwdBCiixv8c32vGHTPP3U6p4Q1f4KQsLkDYfalst7G5OCym+m+a879 yIgPk88MbUBjPu2Ndo+JehhcFXDzWhMoDHrNsKM4G8jD+Td7UUTvg2NWgdYJ71Us0D m9qJpMO1jDvJeGc727iheCuzGvobPBMdIrb8FoLlAnpQBhE3EdFHLqzFdI0zBW/7Li kru5g1jNtqPdeX2Oa2c7HLgisMCdJASgWe8Vm1J97TaHGMGJzpII0GM9MUPRUWvCKk x354USUDclefw== Date: Thu, 14 Mar 2024 11:24:09 +0100 To: internals@lists.php.net Subject: Re: [PHP-DEV] [RFC] [Discussion] Deprecate GET/POST sessions User-Agent: K-9 Mail for Android In-Reply-To: References: Message-ID: <82F88666-F8B4-4E86-AD7D-F4CA75EBF6E0@dafert.at> Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: mel@dafert.at (Mel Dafert) >From: Anton Smirnov >Date: Sun, 3 Mar 2024 at 19:56 > >Greetings! > >As I know some session-related middlewares force custom-only session_id >handling by setting > > use_cookies =3D Off > use_only_cookies =3D On > >and then using session_id(=2E=2E=2E) directly > >Example: >https://github=2Ecom/middlewares/php-session/blob/master/src/PhpSession= =2Ephp#L137 > >I think if you're making this hack impossible, you should provide an >alternative non-hackish way to do this=2E > >Maybe just keep use_cookies =3D Off > >A wild idea: > >1) Add a temporary config > > # by default; current behavior; > # throws a deprecation right from the introduction > cookies=2Euse_post_get =3D On > # do not set the session from POST and GET > cookies=2Euse_post_get =3D Off > >Remove it in 9 with the rest > >2) keep use_cookies in PHP 9 with the updated meaning > >I don't think it's a good solution but maybe it can spark a better one > >Best, >Anton I think the better option is to make this explicit and add a config along = the lines of `automatic_session_detection` (name to be bikeshed) defaulting= to `On`, and in your use-case setting it to `Off` explicitly=2E Regards, Mel