Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69756
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94987 invoked from network); 22 Oct 2013 10:48:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Oct 2013 10:48:27 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.174 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.223.174 mail-ie0-f174.google.com  
Received: from [209.85.223.174] ([209.85.223.174:60954] helo=mail-ie0-f174.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 78/2F-10840-AF756625 for <internals@lists.php.net>; Tue, 22 Oct 2013 06:48:27 -0400
Received: by mail-ie0-f174.google.com with SMTP id qd12so1303911ieb.19
        for <internals@lists.php.net>; Tue, 22 Oct 2013 03:48:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=fLGh2/VIZm8UXqhFiKmzUcNSNITYPGFkigJNkhrYBck=;
        b=VzlNaZTs8k4bmWXh2NOHI6AJS71Gki4bJUnOxQARxotqX3z96jNfbc2IvfYu4K5ykq
         DCmcx9LXBK8q/oiyYnaEn3IX0sLvt0PM7SaFNP2r/XuBYOJVZlCkV/dVOS0gjE3k6H2q
         VFbGEodSkPSdL4BMZrNXOmvbeu9wEuO97zpmRniFvnFlna+cYwd1wI4vNnC+uq+5ZTzW
         v7GHJw/x8Z+zMZMsBszva0TOIab7vPpu462kUlCs0+GS7jeRFzQQzQeF+FxRTGHCbcgH
         a6A/q+709Yi08d45s33XI2o5WEur73tD0wv9RBkm1EFUY4T3s5MJT41FbPEvvV8hu7k/
         UIdQ==
MIME-Version: 1.0
X-Received: by 10.43.77.212 with SMTP id zj20mr1737949icb.5.1382438903176;
 Tue, 22 Oct 2013 03:48:23 -0700 (PDT)
Received: by 10.50.73.42 with HTTP; Tue, 22 Oct 2013 03:48:23 -0700 (PDT)
In-Reply-To: <CAGa2bXbNFb0tV+Xqavz9m62RDxobey3BmyN0L7g9ATFxMS_KBA@mail.gmail.com>
References: <CAGa2bXbNFb0tV+Xqavz9m62RDxobey3BmyN0L7g9ATFxMS_KBA@mail.gmail.com>
Date: Tue, 22 Oct 2013 12:48:23 +0200
Message-ID: <CAH-PCH7TbexgCAVphaC_H8AF-V5UfNysy863Gq1sOzkxgQ01XA@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b45041ebf643f04e95223d2
Subject: Re: [PHP-DEV] session_regenerate_id(true) by default
From: tyra3l@gmail.com (Ferenc Kovacs)

--047d7b45041ebf643f04e95223d2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Tue, Oct 22, 2013 at 8:53 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi all,
>
> Without 'true', session_regenerate_id() will not delete old session data
> which may contain sensitive data. It was made to 'false' by default for
> users relying on the bug. (PHP 4.x, IIRC)
>
> Almost all users should call session_regenerate_id() with 'true' paramete=
r.
> Therefore, I would like to suggest make it 'true' by default from next PH=
P.
>
> Any comments?
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>


We could we add an E_DEPRECATED for the session_regenerate_id(false) usage
for 5.6 instead.

--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--047d7b45041ebf643f04e95223d2--