Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:70001 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11797 invoked from network); 4 Nov 2013 03:33:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Nov 2013 03:33:05 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.171 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.171 mail-lb0-f171.google.com Received: from [209.85.217.171] ([209.85.217.171:54199] helo=mail-lb0-f171.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 22/73-04169-F6517725 for ; Sun, 03 Nov 2013 22:33:04 -0500 Received: by mail-lb0-f171.google.com with SMTP id x18so4983356lbi.2 for ; Sun, 03 Nov 2013 19:33:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=gSBlrB0XoB1QQ2+t1h6qSw4X2ziqbYWEXCXkwE+gzqk=; b=THk5uadK0cdoec6Bfk8DB7xEFFPLsbWQ+SKwOqDbk/KOVfNU72LF0BOuSJVHXmCdpS 2V9zu6er+gzGHpl+bNfYYttwrR/u7XApy30eYTEOTPOnTH3ZwZ8Gj08rx7rdCjfoM671 4au4ugJmbd+QljheOw4b4r1xz88Nqb5TgivRnimG8C5UgE/TJztNZxoUxNYUXmPnvXhN AKAf77a9Li5sDegkzNZFeRLR3xxEBwp+FiYZS0t9MDuV8St1fzgRZqNzJ3RUYVZ4yLa0 aBW0S/xegokI8u2XdNT0qwwYccr3EAIqbhCgtlUabBDhKUaXUeVfLT94FTAuTxgA1nRP /KWA== X-Received: by 10.152.170.133 with SMTP id am5mr10455619lac.9.1383535980778; Sun, 03 Nov 2013 19:33:00 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.154.201 with HTTP; Sun, 3 Nov 2013 19:32:20 -0800 (PST) In-Reply-To: <5749CE46-8438-42F8-95D0-B854E35CC29E@zend.com> References: <526FED0D.4040709@oracle.com> <5749CE46-8438-42F8-95D0-B854E35CC29E@zend.com> Date: Mon, 4 Nov 2013 12:32:20 +0900 X-Google-Sender-Auth: 3Hfsy5rn4qNz_B-AO1viEAWpfIQ Message-ID: To: Andi Gutmans Cc: Christopher Jones , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0117720fab199e04ea51924c Subject: Re: [PHP-DEV] session_regenerate_id(true) by default From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0117720fab199e04ea51924c Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Andi, On Mon, Nov 4, 2013 at 9:00 AM, Andi Gutmans wrote: > On Oct 29, 2013, at 10:14 AM, Christopher Jones < > christopher.jones@oracle.com> wrote: > > > Hi Yasuo, > > If parameter omission is an issue, I think you should update the PHP > function doc ASAP and explain the problem. > > Most E_DEPRECATED messages include the word "deprecated". I think > your message could be: > > "Calling session_regenerate_id() without a parameter is > deprecated. Passing true is encouraged for better security" > > Can you review whether "false" should ever be an allowed value? > > > I think we would want to continue to support false (we can check > code.google.com or something to see how much it=E2=80=99s being used with= out > parameters or with false). [I am not online now unfortunately]. > > Eliminating the default option can absolutely work as it means users need > to make a conscious decision. > I think the option should be kept forever. I'll add race condition mitigation into session module, but it's a mitigation, not a solution. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0117720fab199e04ea51924c--