Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69792 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95634 invoked from network); 23 Oct 2013 00:56:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Oct 2013 00:56:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.180 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.180 mail-lb0-f180.google.com Received: from [209.85.217.180] ([209.85.217.180:49912] helo=mail-lb0-f180.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 99/E1-10840-DCE17625 for ; Tue, 22 Oct 2013 20:56:46 -0400 Received: by mail-lb0-f180.google.com with SMTP id y6so177105lbh.11 for ; Tue, 22 Oct 2013 17:56:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=upR4GbyFxkI0xt6IS3wlk5Nsck5ATy3W5HW9uAob3Ck=; b=uE6IhNplTR5eGWIhPlNPtIpOZnDg4Slzs4FV4Xko9yE07kbbT6s6XFEl1TWFdb484l L2JhqaCaJz5kH/tuhNPnQqnBmGamGfvfW/yVZGpOIIXTQSCYCDdbbpOoTz5f9IiJqnFG RPDOLrnX0jSO6mqsGQfA4AAadvL2OfkXKSG/S1KXuvV8TQbKD9CNgc3lDK9t9CDCssVW 3hRUWH1zW8y+GKkHpS8LCm73+Z61owog3lPvQGzMJiErvLrGRWwpHCjjZW12cM1xNeD7 XbUEuyFOUlc/qacnV517AwTef8MoWQ0JZo3axGaXoPGn+4Nh6RdtJX4NpOz6XM157S9b Fibw== X-Received: by 10.152.120.228 with SMTP id lf4mr7918lab.44.1382489803111; Tue, 22 Oct 2013 17:56:43 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.154.201 with HTTP; Tue, 22 Oct 2013 17:56:03 -0700 (PDT) In-Reply-To: References: Date: Wed, 23 Oct 2013 09:56:03 +0900 X-Google-Sender-Auth: ryrY2NgI4V6igd9fLqMQE21cQPA Message-ID: To: Patrick Schaaf Cc: Ferenc Kovacs , internals Content-Type: multipart/alternative; boundary=089e011769159ec4a604e95dfdcf Subject: Re: [PHP-DEV] session_regenerate_id(true) by default From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e011769159ec4a604e95dfdcf Content-Type: text/plain; charset=UTF-8 Hi Patrick, On Tue, Oct 22, 2013 at 8:10 PM, Patrick Schaaf wrote: > Working on the issue for our own application, I'm in the process of > teaching our session wrapping class to regenerate ID often - but when doing > so, first setting up the previous session ID with two pieces of > information: a short timeout of 20 seconds or something like that, and a > "forwarding ID" which references the new session ID. > > I want to do this because I want to regenerate IDs often (also based on a > rather short timeout), and I'm concerned about parallel in-flight requests > - a high probability reality with ajax getting more and more traction - > still presenting the old session ID a second or two after a request > determined to regenerate. > Session save handlers lock session data to avoid mess, but your approach works without lock in many cases. However, it may result in inconsistent session data (i.e. over written data), so I would not recommend it as general usage. IIRC, the reason why session_regenerate_id(false) by default is compatibility for the same minor version release. We should have cleaned up this years ago. The main idea of this proposal is "Making PHP secure by default". It does not worth to keep insecure default forever because of the initial implementation had bug. IMHO. "Making PHP secure by default" also achieves "Easy to learn and use". BTW, I prefer not to raise errors for "false", since it has valid usage with save handlers allow disabling/without lock. e.g. memcached, mm save handlers. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e011769159ec4a604e95dfdcf--