Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69746
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71580 invoked from network); 22 Oct 2013 09:12:58 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Oct 2013 09:12:58 -0000
Authentication-Results: pb1.pair.com header.from=derick@php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=derick@php.net; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 82.113.146.227 as permitted sender)
X-PHP-List-Original-Sender: derick@php.net
X-Host-Fingerprint: 82.113.146.227 xdebug.org Linux 2.6
Received: from [82.113.146.227] ([82.113.146.227:36125] helo=xdebug.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id CA/5A-10840-99146625 for <internals@lists.php.net>; Tue, 22 Oct 2013 05:12:57 -0400
Received: from localhost (localhost [IPv6:::1])
	by xdebug.org (Postfix) with ESMTPS id 33097E202D;
	Tue, 22 Oct 2013 10:12:54 +0100 (BST)
Date: Tue, 22 Oct 2013 10:12:54 +0100 (BST)
X-X-Sender: derick@whisky.home.derickrethans.nl
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
cc: "internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <CAGa2bXbNFb0tV+Xqavz9m62RDxobey3BmyN0L7g9ATFxMS_KBA@mail.gmail.com>
Message-ID: <alpine.DEB.2.10.1310221012060.5542@whisky.home.derickrethans.nl>
References: <CAGa2bXbNFb0tV+Xqavz9m62RDxobey3BmyN0L7g9ATFxMS_KBA@mail.gmail.com>
User-Agent: Alpine 2.10 (DEB 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] session_regenerate_id(true) by default
From: derick@php.net (Derick Rethans)

On Tue, 22 Oct 2013, Yasuo Ohgaki wrote:

> Hi all,
> 
> Without 'true', session_regenerate_id() will not delete old session data
> which may contain sensitive data. It was made to 'false' by default for
> users relying on the bug. (PHP 4.x, IIRC)
> 
> Almost all users should call session_regenerate_id() with 'true' parameter.
> Therefore, I would like to suggest make it 'true' by default from next PHP.
> 
> Any comments?

You can't just change subtle details like this. Big changes are a lot 
easier to manage for users, but changing defaults that have a subtle 
impact on already existing code are a bad idea in my book.

cheers,
Derick