Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69943 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 42408 invoked from network); 29 Oct 2013 17:15:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 Oct 2013 17:15:01 -0000 Authentication-Results: pb1.pair.com header.from=christopher.jones@oracle.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=christopher.jones@oracle.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain oracle.com designates 141.146.126.69 as permitted sender) X-PHP-List-Original-Sender: christopher.jones@oracle.com X-Host-Fingerprint: 141.146.126.69 aserp1040.oracle.com Received: from [141.146.126.69] ([141.146.126.69:43833] helo=aserp1040.oracle.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CE/22-22922-31DEF625 for ; Tue, 29 Oct 2013 12:14:59 -0500 Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r9THEtJh030508 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 29 Oct 2013 17:14:55 GMT Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r9THEsvr000262 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 29 Oct 2013 17:14:54 GMT Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r9THErZH026301; Tue, 29 Oct 2013 17:14:53 GMT Received: from [130.35.70.238] (/130.35.70.238) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 29 Oct 2013 10:14:53 -0700 Message-ID: <526FED0D.4040709@oracle.com> Date: Tue, 29 Oct 2013 10:14:53 -0700 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.0.1 MIME-Version: 1.0 To: internals@lists.php.net, "yohgaki@ohgaki.net >> Yasuo Ohgaki" References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: acsinet21.oracle.com [141.146.126.237] Subject: Re: [PHP-DEV] Re: session_regenerate_id(true) by default From: christopher.jones@oracle.com (Christopher Jones) On 10/29/2013 03:44 AM, Yasuo Ohgaki wrote: > Hi all, > > On Tue, Oct 22, 2013 at 3:53 PM, Yasuo Ohgaki wrote: > >> Hi all, >> >> Without 'true', session_regenerate_id() will not delete old session data >> which may contain sensitive data. It was made to 'false' by default for >> users relying on the bug. (PHP 4.x, IIRC) >> >> Almost all users should call session_regenerate_id() with 'true' >> parameter. Therefore, I would like to suggest make it 'true' by default >> from next PHP. >> >> Any comments? >> > > I've created RFC for this. > > https://wiki.php.net/rfc/session_regenerate_id Hi Yasuo, If parameter omission is an issue, I think you should update the PHP function doc ASAP and explain the problem. Most E_DEPRECATED messages include the word "deprecated". I think your message could be: "Calling session_regenerate_id() without a parameter is deprecated. Passing true is encouraged for better security" Can you review whether "false" should ever be an allowed value? The PHP doc could be improved to explain why someone might use true or false. FWIW, the message line in the RFC patch got truncated. Chris -- christopher.jones@oracle.com http://twitter.com/ghrd Free PHP & Oracle book: http://www.oracle.com/technetwork/topics/php/underground-php-oracle-manual-098250.html