Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69739
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 47065 invoked from network); 22 Oct 2013 06:54:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Oct 2013 06:54:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.46 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.46 mail-la0-f46.google.com  
Received: from [209.85.215.46] ([209.85.215.46:37373] helo=mail-la0-f46.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 89/E5-10840-13126625 for <internals@lists.php.net>; Tue, 22 Oct 2013 02:54:42 -0400
Received: by mail-la0-f46.google.com with SMTP id hp15so1809500lab.5
        for <internals@lists.php.net>; Mon, 21 Oct 2013 23:54:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:message-id:subject:to:content-type;
        bh=O4P3ZSeDN5S1MmUVyrmhi+d8+hC8zFic3X4wlgfps+4=;
        b=TWOqpmUKIDm4fSV16am/s5omDFdK7JMwFnl1bovdwwo4+fOp7uKjXW1gmtpuWsU9bH
         fOyZ6JWsr9rYLq83ek7t3L99j86JfFm8YtBt3ZCYxGeDEmZCqLwQMcx1WeBj0G4LJLKT
         uYohOq072CM7FF97jYl4ump6Ee3bubQbqPMb5QLCu6YMclzuOIHhfG0XFQMXaChJvf5G
         /h5gcehqCS/FdzGE0MO76K/7pCOOntC6E78E2hHwj09rO5Ygr9/dYnGzvyr1ZMu20OHM
         pJMbqVcOxaudHuWcP6qPZ2k2/A5vcDhfURTiClRzTAPC4d4kTChu2dh2NzszCBMB4kmq
         OKmg==
X-Received: by 10.112.149.197 with SMTP id uc5mr15852557lbb.19.1382424878812;
 Mon, 21 Oct 2013 23:54:38 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.154.201 with HTTP; Mon, 21 Oct 2013 23:53:58 -0700 (PDT)
Date: Tue, 22 Oct 2013 15:53:58 +0900
X-Google-Sender-Auth: Aj-qRUS58Q4vUfd9yXAguW_7OFM
Message-ID: <CAGa2bXbNFb0tV+Xqavz9m62RDxobey3BmyN0L7g9ATFxMS_KBA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b343cd2d4958804e94edfdb
Subject: session_regenerate_id(true) by default
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--047d7b343cd2d4958804e94edfdb
Content-Type: text/plain; charset=UTF-8

Hi all,

Without 'true', session_regenerate_id() will not delete old session data
which may contain sensitive data. It was made to 'false' by default for
users relying on the bug. (PHP 4.x, IIRC)

Almost all users should call session_regenerate_id() with 'true' parameter.
Therefore, I would like to suggest make it 'true' by default from next PHP.

Any comments?

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--047d7b343cd2d4958804e94edfdb--