Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100086 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 80208 invoked from network); 28 Jul 2017 15:04:02 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jul 2017 15:04:02 -0000 Authentication-Results: pb1.pair.com header.from=lists@rhsoft.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=lists@rhsoft.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain rhsoft.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: lists@rhsoft.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:14311] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CE/A6-40376-1625B795 for ; Fri, 28 Jul 2017 11:04:01 -0400 Received: from srv-rhsoft.rhsoft.net (Authenticated sender: h.reindl@thelounge.net) by mail.thelounge.net (THELOUNGE MTA) with ESMTPSA id 3xJsYn5tBJzXMf for ; Fri, 28 Jul 2017 17:03:57 +0200 (CEST) To: PHP internals References: <28093140-0D0D-4157-AAA3-E8F1A570E67A@gmail.com> <422D7E05-864E-40EB-AEEB-81DFED80CA72@gmail.com> Message-ID: <66ea3e5e-2f5f-19c5-6084-53ace8435be0@rhsoft.net> Date: Fri, 28 Jul 2017 17:03:57 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-CH Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] session_start() should not reset $_SESSIOn if it's not empty From: lists@rhsoft.net ("lists@rhsoft.net") Am 28.07.2017 um 16:48 schrieb Andrey Andreev: > Hi, > > On Fri, Jul 28, 2017 at 5:45 PM, Sara Golemon wrote: >> >> ftr; I'd vote in favor of several BC breaking things to do with >> autoglobals, among them: >> >> * Make them objects (though ArrayAccess based for less hostile BC breakage) >> * Make most of them read-only (offsetGet(), but no offsetSet) >> * Make $_SESSION[...] access produce an error or auto-start the session >> >> I've seen too many codebases abuse GPCER vars as a generic storage >> location because "globals are bad, but this is good because it doesn't >> include the word global". As a performance issue, the runtime has to >> assume autoglobals are inherently volatile and could change on a whim >> at any moment (much like $http_response_headers). Restricting their >> mutability would be a win. The request globals could probably also be >> optimized fairly significantly. >> >> If anyone agrees, I'm willing to RFC it. If not, I'll continue living >> with it. :D >> > > Yes, please! raise a warning when write to $_SESSION without a session_start() make a implicit autostart - *for sure not* this would only produce hidden errors or later warnings when you rely on session params and introduce more problems that it solves because clients don't like the same cookies ith different params make POST/GET/SERVER readonly - only when you refactor a 250000 line code base as well as deplyed code which relies on the framework did the right thing with them previously :-)