Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71039 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38919 invoked from network); 8 Jan 2014 16:17:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Jan 2014 16:17:22 -0000 Authentication-Results: pb1.pair.com header.from=danack@basereality.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=danack@basereality.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain basereality.com from 74.125.82.48 cause and error) X-PHP-List-Original-Sender: danack@basereality.com X-Host-Fingerprint: 74.125.82.48 mail-wg0-f48.google.com Received: from [74.125.82.48] ([74.125.82.48:36903] helo=mail-wg0-f48.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 41/00-38797-F0A7DC25 for ; Wed, 08 Jan 2014 11:17:21 -0500 Received: by mail-wg0-f48.google.com with SMTP id x13so1630280wgg.3 for ; Wed, 08 Jan 2014 08:17:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=CuQp5enuG7Evm+g+xonNEbkJDlNSbmeTrJZ4Srt9TMY=; b=EwF4ZCTcDQURrvomPkMX5A6YxY0bTpJa0OuDPNGFp+bLNZhNyJgOnEKNazE5Thqh6i d02xlpNeQ/ChJzfZ7/IuGd+l0u5FRJ1h18uHF5PXfqNS4KjDRXLoIOJHmrPiksETkfKB iNAzQGVW1vVr8BegNLZzBFED7KEDvz59z3kPs6TH4BdMpcuPgsvoGk0JfXoW7vWVw0Tq hqaabcLlHdjQN7CbGWAx6jZ/cS3ud8xk8tZYYWgXKvi8ViHNUMe+FWI9DYU5gA8dCx3y 5hqWk01vUmvh4ogYXQfElRLW7DclL7A/VT0B6LsqbxDev5uvhMFXUcfDZ9Tq7wZxT+Sf bUEw== X-Gm-Message-State: ALoCoQk4FBCY98rBfm4plbL0kan/Dq47twuJjbTQ5dBJnJI/ERLk7DApPC4e9zfnkMKthfg2xUL5 MIME-Version: 1.0 X-Received: by 10.194.79.165 with SMTP id k5mr13451158wjx.44.1389197836257; Wed, 08 Jan 2014 08:17:16 -0800 (PST) Received: by 10.216.222.199 with HTTP; Wed, 8 Jan 2014 08:17:16 -0800 (PST) X-Originating-IP: [2.99.224.19] In-Reply-To: References: Date: Wed, 8 Jan 2014 16:17:16 +0000 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] [RFC] Introduce session.lock, session.lazy_write and session.lazy_destory From: danack@basereality.com (Dan Ackroyd) Hi, While I agree with the rationale for wanting more advanced behaviour from the session management functionality in PHP, I don't think adding more functionality to the built in session_* functions will give a result that is satisfactory. The problem is that most of the information about how the sessions should be managed lives at the application level. It will also vary within an application depending on what the user is doing. Some examples, from the RFC: Session locking - If an application knows that it won't be writing any data to the session, it should be able to read the session data without ever locking the session data. There are also session write operations that just don't need any locking at all. For example if you want to just record the number of pages a user has viewed since they logged in: $_SESSION['pagesViewed']++; With a Redis storage backend for the session data, this can be done without any locking at all, if the application is written without assuming that the session data will be locked. Race condition around regenerated session IDs - The proposal to allow clients that try to use a session ID that has recently been regenerated would not be acceptable for all clients. Some clients would probably prefer to send a HTTP error code (419 Authentication Timeout?) indicating that the client should resend the request with the new session ID. It's also likely that applications would want to allow recently regenerated session IDs to be allowed for read operations, but not for write operations. The previous discussions about improving security for sessions are another example of where the logic isn't simple and what exactly happens when the client changes either I.P. address or useragent during a session is totally dependent on the application. i.e. for a banking application, if the user ever changes IP address, then it would be acceptable to instantly terminate that session. For a shopping application, if the user changes IP address to one that is within a close geographical aread as the original IP address, then the application could let that session continue, and only terminate the session if the new IP address appeared to be physically far away from the original IP adress. Also there are already 26 ini settings for handling the sessions in PHP (ignoring the ini settings related to tracking upload progress). This a pretty clear indication that the handling of sessions is already too complex to be controlled through ini settings alone. At the risk of setting myself up for a fall, I'm going to make a proof of concept userland session manager to try and implement as many of the features under discussion in the various session related RFCs that are open as possible, and will try to publish it in a week or so. It probably won't be anywhere near production ready, but hopefully will provide a basis for discussing moving the session handling from the session_* functions to something that allows people to define the logic in code, rather than being forced to tweak a huge number of config settings. cheers Dan On Sat, Dec 21, 2013 at 10:25 AM, Yasuo Ohgaki wrote: > Hi all, > > This was discussed before. > I've created RFC for more discussion. > > https://wiki.php.net/rfc/session-lock-ini > > Please comment if any. > > Thank you. > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net