Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:100087 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81726 invoked from network); 28 Jul 2017 15:11:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Jul 2017 15:11:07 -0000 Authentication-Results: pb1.pair.com smtp.mail=php@golemon.com; spf=softfail; sender-id=softfail Authentication-Results: pb1.pair.com header.from=php@golemon.com; sender-id=softfail Received-SPF: softfail (pb1.pair.com: domain golemon.com does not designate 74.125.82.50 as permitted sender) X-PHP-List-Original-Sender: php@golemon.com X-Host-Fingerprint: 74.125.82.50 mail-wm0-f50.google.com Received: from [74.125.82.50] ([74.125.82.50:36367] helo=mail-wm0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 01/07-40376-8045B795 for ; Fri, 28 Jul 2017 11:11:04 -0400 Received: by mail-wm0-f50.google.com with SMTP id t201so128425813wmt.1 for ; Fri, 28 Jul 2017 08:11:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=golemon-com.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:from:date:message-id:subject:to; bh=El1D1pGqGQuzUlgnq3MCXThaLmVDxY+F274LqOMhIgY=; b=J9yY2KbgrFcFfMeWWL4im3pdtI6n41dsxzdAWvNSfv8+LUl3LRJ2OGYeMrByamy/If UuC+D82csx878ElFGJPgTJhz9kGEklhXtcz310o7vREi0mMonimqy0D99zLIHB+mg4+h JUf99ZLVXWS5v/PIuwXe3ix62MHw4KWdP/ajgw6wsjGaQd/QFyAGNz+ykIoZmaYVuBkl CDW2oL5xqm1Lho4HHG+iufFY6Jd5kQ+Q57OyfAZAcl8MJCmG0PfKzvVqGuP5muSv6KDE bCHt+i3Ab/8WMLW0v1e5VZ7Iyos058fUo1bmZKNbAhrtTWmSY29miD+RyY+CTWx1GdBJ bvew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=El1D1pGqGQuzUlgnq3MCXThaLmVDxY+F274LqOMhIgY=; b=XSDgeuGTQRLJebBi/COMEHBz/6gqzH4vFg276FqHRMiWSH/UElQnQqXltUpeGn30MJ xnDdkGPe7AMwjfHOzOWOHTxdcZMA+3Q2G+dIwLyyEeCLYAOiwrr+67d3SWFW6XMLopY6 y0dwx0sVdu21ApsD3jabKsplAATjpewFARmEfz8qFHns0G/XdWf+MgxnRc3J4NW3MI4X WG1GRYJiA4NrJ0TFOYySzDyxg4TfZaCKXogBURWOtXO4V4Q0tGq3/aMam0gU47TWWfPD NnWyYbfmG2QkV3gDj4ldiU07Pkpb+ObVHYX0ykD3zLYsaKICGRh3ToAPzoS4LGCgqseb Dyhw== X-Gm-Message-State: AIVw113Z4hahEGdGhgWluVTAMCOnrhC4iMPS9fgxqcNJ/8e90hWsfTjP H8EdBInjN9fdPkcjgt4/fPy+smQOQc89HVSYmQ== X-Received: by 10.28.9.19 with SMTP id 19mr6128768wmj.61.1501254660967; Fri, 28 Jul 2017 08:11:00 -0700 (PDT) MIME-Version: 1.0 Sender: php@golemon.com Received: by 10.223.169.234 with HTTP; Fri, 28 Jul 2017 08:11:00 -0700 (PDT) X-Originating-IP: [206.252.215.26] Date: Fri, 28 Jul 2017 11:11:00 -0400 X-Google-Sender-Auth: 4R3BWW_-WUykFBRuvIQrRp_wkqI Message-ID: To: PHP internals Content-Type: text/plain; charset="UTF-8" Subject: Changes to SuperGlobals for PHP 8 (was: something about session_start...) From: pollita@php.net (Sara Golemon) On Fri, Jul 28, 2017 at 11:03 AM, lists@rhsoft.net wrote: >> On Fri, Jul 28, 2017 at 5:45 PM, Sara Golemon wrote: >>> ftr; I'd vote in favor of several BC breaking things to do with >>> autoglobals, among them: >>> >>> * Make them objects (though ArrayAccess based for less hostile BC >>> breakage) >>> * Make most of them read-only (offsetGet(), but no offsetSet) >>> * Make $_SESSION[...] access produce an error or auto-start the session >>> >>> I've seen too many codebases abuse GPCER vars as a generic storage >>> location because "globals are bad, but this is good because it doesn't >>> include the word global". As a performance issue, the runtime has to >>> assume autoglobals are inherently volatile and could change on a whim >>> at any moment (much like $http_response_headers). Restricting their >>> mutability would be a win. The request globals could probably also be >>> optimized fairly significantly. >>> >>> If anyone agrees, I'm willing to RFC it. If not, I'll continue living >>> with it. :D >>> >> >> Yes, please! > > > raise a warning when write to $_SESSION without a session_start() > > make a implicit autostart - *for sure not* this would only produce hidden > errors or later warnings when you rely on session params and introduce more > problems that it solves because clients don't like the same cookies ith > different params > > make POST/GET/SERVER readonly - only when you refactor a 250000 line code > base as well as deplyed code which relies on the framework did the right > thing with them previously :-) > > I'm sure there will be many strong opinions on this, but let's move this to a new thread. :D 1. This would be an 8.0 change as it does represent a significant BC change. 2. We can discuss the possibility of INI options or other mitigation strategies for misbehaving code bases (and they do exist). 3. I'm definitely not decided on what I'd like from default session behavior. An error isn't out of the question, for sure. -Sara