Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:102937 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 93278 invoked from network); 21 Jul 2018 11:11:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Jul 2018 11:11:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.19 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.15.19 mout.gmx.net Received: from [212.227.15.19] ([212.227.15.19:59777] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AF/35-47674-3E4135B5 for ; Sat, 21 Jul 2018 07:11:33 -0400 Received: from [192.168.2.102] ([87.167.201.185]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MKprU-1fgpnC44Ce-00077q; Sat, 21 Jul 2018 13:11:19 +0200 To: =?UTF-8?Q?Pedro_Magalh=c3=a3es?= , f.bosch@genkgo.nl Cc: smalyshev@gmail.com, PHP internals References: <1abd260d-ebc4-a062-3381-72485946e8bc@gmail.com> Message-ID: <279bc20a-6bbb-7114-fb7e-293b543a5fdb@gmx.de> Date: Sat, 21 Jul 2018 13:11:19 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:DMy7n/NaAxaWHmnS4lVtBD6JQbLlo1yC7ME0qAwI4AmSgBE+G+6 4P/THtUIhBzcaw+Z80Y8MvJv7vMKEt+73XZWpXCGZ+Z34bZwpZU2vsKSNZ12ikHVMExTELe xclQduEs+XlYX+MCbQ96XHPsimOMnpNf1k/XT3DoG3BSV4MrjrA2MKVgiNm0HGDCQffzbx0 7D03kdCyd/ZebaloMmdeg== X-UI-Out-Filterresults: notjunk:1;V01:K0:f0wjLi8XDQE=:SeFdM5e8NMuGH6A8sZDCyA dBTUQZ4LyyoDm3b2QAn1c0EiCsd2NGNOWBKIA65ErvI9bGdhVAxDo1lEDXJG7TWkvw9yNQYHX 8XdPcLRuv2DFgLLKG7rNQJmzNCWClKs3KVPkdpK5L3kX3ZGheXhiWnG6HOYBOrbPqGbwKimHX M/2bmEGLTelpVm50mfg8eGeXYapg1+yzy/oX+PhXPhz8jud1fQ0B6cr7p6xX5HIWkCmamnfp3 sYynIx3M0UYulgzcoe02uRdEQY7lWD4DiuOeuC22PqkqoqzMiV9UHRvnxgqUjczOUa41n2X5h KsG6FuO1ds/QvIxyXJpc2FcmvCjVzi1Z1dz9kBJOcVIfKgul0T/3Ld6CutVYgOLDB2CVReyDe 8ID2yEFaYC3zkIyL0ruDDXDaxYjh2mlYF3eFIWmDbRTmDGmAALi5W/WIOixUv+GeVHiHqMVEI hCbZtLo4IGfBM0S4mLAzKniTNGyT7z3cqbvRxAF9MOFidNQJTLAa/XG4Va3CtjXujaLbKNdMg 5uAFz+QVJjX6fLQFth9Bc0DBhJ6Vwmiz/NXq6MWBE6o03lqQC/lNiRMXe0jqiBC+lBf4lBOpY R/Q7uvhjslao8JZ5iP6T0bDohoRFHjC5dYOPaXWwSIJR8g2UQ2fEPUHcSueGCqbhigmDykRIt mzE/ugj17hS8aWwE2JDMmtWE4ZqroxqULB3FfSUmsLMkBkd7VchpwWZMUh8YdqTDJGTAk92Y5 AmX9kr4hEYF9tjdouq8FXDyfLp9pV1USweQRBl9SCu/6vEveATVimuDj9S6JBihg59awjRcl1 u6RXxLM Subject: Re: [PHP-DEV] [VOTE] Same Site Cookie RFC From: cmbecker69@gmx.de ("Christoph M. Becker") On 18.07.2018 at 23:00, Pedro Magalhães wrote: > On 28-08-17 21:06, Stanislav Malyshev wrote: > >> Something not clear to me on the second one - why lifetime/expiration is >> a separate parameter while all others are part of $options? > > On Mon, Aug 28, 2017 at 8:53 PM Frederik Bosch wrote: > >> 1. The session_set_cookie_params function requires a lifetime parameter >> at the moment. >> >> 2. To enforce that lifetime stays required I did not want to make it >> required within the optional array. That would make that optional array >> not optional anymore, and even have a required key. I don't think that >> is a good idea. >> >> 3. To prevent that the array of options is different between the three >> functions (session_set_cookie_params, setcookie, setrawcookie), I chose >> to exclude lifetime from the array of options and include it in the list >> of arguments. >> >> Hence, I chose a consistent and logical API over the three functions >> together rather than having logical ones per function. Hope it makes sense. > > This reasoning doesn't make a lot of sense to me. > With regards to session_set_cookie_params, I believe that the only reason > why lifetime is required in that function is because calling it without > parameters doesn't have a purpose. > With an array of options (which keeps the first parameter mandatory), there > is no strong reason to make one of them required. An empty array or an > array without any valid key would still error. > If this is acceptable for that function, all the other functions can have > all the options in the array as that keeps the array consistent across them. > > With this being said, would anyone oppose an implementation where all the > options (including lifetime) are included in the array parameter? Personally, I'd even prefer this, but that's not what was voted upon, so I'm not sure if it's okay. Anyhow, the implementation is available as . Thanks, Pedro! > About the implementation, the array of options is never really defined in > the RFC. If we assume that it is identical to the proposed output > of session_get_cookie_params, the name of the first key should be lifetime. > However, for setcookie and setrawcookie, the documented parameter name is > expire. Would there be any issue if we would assume lifetime for the 4 > functions? I'd prefer “expire_s_”, but I'm okay with “lifetime”. -- Christoph M. Becker