Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69801 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42826 invoked from network); 23 Oct 2013 11:55:17 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Oct 2013 11:55:17 -0000 Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.181 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.181 mail-we0-f181.google.com Received: from [74.125.82.181] ([74.125.82.181:38011] helo=mail-we0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E2/A9-10840-429B7625 for ; Wed, 23 Oct 2013 07:55:17 -0400 Received: by mail-we0-f181.google.com with SMTP id t60so656261wes.26 for ; Wed, 23 Oct 2013 04:55:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=4K7NzGELt8bfk2Jj5NlszsI86XoyOybczh4d+zCETa0=; b=piiRjJZIXIa2k5AVrh1godUgHT1DcoVI9oxMkGwszICz718wX9aBKuZNwTKw9Sg0vT 7cMtlqy20CyZIJRfgV2kNRprXfw14AdxptL3p9ZiL4SKE9ceT2auvuAFvxmGRYldTUBX JQJlOdYN9JCBwPirZP7aZk+FKjfLCSZxszSeI9DQj1+XHGtXbB/Lcp2vrBjMkOYjd5z7 xmkfWuQZdY3MjvbUQ7t3LoCtwVEvZwh7taEYe4gpBppNQiLr25/eoLGQQbycMLAXNqFl Q0oknwqopUIPbfWFrNAM2JS5uIuP/RaJkjLl0jNgbQyjXOh0tAwR+9fqmZNrIbW7Z4jR b62w== X-Received: by 10.180.106.227 with SMTP id gx3mr1025487wib.15.1382529314355; Wed, 23 Oct 2013 04:55:14 -0700 (PDT) Received: from [192.168.0.163] ([62.189.198.114]) by mx.google.com with ESMTPSA id b13sm16138437wic.9.2013.10.23.04.55.13 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 23 Oct 2013 04:55:13 -0700 (PDT) Message-ID: <5267B921.7010501@gmail.com> Date: Wed, 23 Oct 2013 12:55:13 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1 MIME-Version: 1.0 To: internals@lists.php.net References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] session_regenerate_id(true) by default From: rowan.collins@gmail.com (Rowan Collins) Ferenc Kovacs wrote (on 22/10/2013): > On Tue, Oct 22, 2013 at 8:53 AM, Yasuo Ohgaki wrote: > >> Hi all, >> >> Without 'true', session_regenerate_id() will not delete old session data >> which may contain sensitive data. It was made to 'false' by default for >> users relying on the bug. (PHP 4.x, IIRC) >> >> Almost all users should call session_regenerate_id() with 'true' parameter. >> Therefore, I would like to suggest make it 'true' by default from next PHP. >> >> Any comments? >> >> -- >> Yasuo Ohgaki >> yohgaki@ohgaki.net >> > > We could we add an E_DEPRECATED for the session_regenerate_id(false) usage > for 5.6 instead. > Presumably what we want to deprecate is not the *ability* to pass false, but the *default* of false. So raise an E_DEPRECATED if you don't pass the parameter, and document that passing true will normally be the desired behaviour. Then in some future major version, remove the default value, making it an E_ERROR or whatever to omit it. -- Rowan Collins [IMSoP]