Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103114 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 93058 invoked from network); 2 Sep 2018 14:57:24 -0000 Received: from unknown (HELO es-i.jp) (180.42.98.130) by pb1.pair.com with SMTP; 2 Sep 2018 14:57:24 -0000 Received: (qmail 114797 invoked by uid 89); 2 Sep 2018 10:59:28 -0000 Received: from unknown (HELO mail-yb1-f171.google.com) (yohgaki@ohgaki.net@209.85.219.171) by 0 with ESMTPA; 2 Sep 2018 10:59:28 -0000 Received: by mail-yb1-f171.google.com with SMTP id e18-v6so2381225ybq.5 for ; Sun, 02 Sep 2018 03:59:27 -0700 (PDT) X-Gm-Message-State: APzg51Co4iwCC6v9O1iAnOKyx7CDw7L1xYzp+hytaOKVFR2ODwKtwxcx WIyZmeeJEBY4Ad/DWH1fDpmqdlOcQhzlUuoXXQ== X-Google-Smtp-Source: ANB0VdZAWoiaKmmH1OQvmqDv12lTJkyol0NGarLpoP1fKJ/jyxS+FHtlJ2K4G+6c+e2++tE5ro5884A+UWu7VEFdkj0= X-Received: by 2002:a25:2b49:: with SMTP id r70-v6mr13118864ybr.231.1535885961885; Sun, 02 Sep 2018 03:59:21 -0700 (PDT) MIME-Version: 1.0 Date: Sun, 2 Sep 2018 19:58:45 +0900 X-Gmail-Original-Message-ID: Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="0000000000002c81f00574e151aa" Subject: Check session availability before starting session. From: yohgaki@ohgaki.net (Yasuo Ohgaki) --0000000000002c81f00574e151aa Content-Type: text/plain; charset="UTF-8" Hi all, I've got request for session_available() which can check if session ID is sent from client or not _before_ starting session. (The session data existence does not matter) This is for GDPR primarily. Starting session before agreement can be GDPR compliance violation. Since PHP supports various way to embed session ID in page / request, finding actual state by user script is not a simple task. i.e. Just checking session ID cookie is not good enough by session module spec. Session ID can be stored in URL path, query, POST parameter and cookie. Any comments? -- Yasuo Ohgaki yohgaki@ohgaki.net --0000000000002c81f00574e151aa--