Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73080
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35551 invoked from network); 12 Mar 2014 11:30:48 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Mar 2014 11:30:48 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.178 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.217.178 mail-lb0-f178.google.com  
Received: from [209.85.217.178] ([209.85.217.178:39567] helo=mail-lb0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8F/63-17005-66540235 for <internals@lists.php.net>; Wed, 12 Mar 2014 06:30:47 -0500
Received: by mail-lb0-f178.google.com with SMTP id s7so6473089lbd.37
        for <internals@lists.php.net>; Wed, 12 Mar 2014 04:30:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=MMIurPVCx3NrSSPT6j73/i013OrqEZtf0/8joGX23H8=;
        b=UQAiBpPQcbANodg/UoC7hPfZa80K5kQqqiZnuYHqM3M7KiXvUatSKLh5EWER3IHA18
         bm6eiQo7PP9oYXiVRjsAaFJfdg55HEv/Yo37iwqvVdmCsaVRDgYv6gN8S3DQ0I0dlOUK
         OLUyz3vXhuenyk+EmBzsMlBZ70D/Y1V6D1xNqNJiBp0r+9ek/A6moLx5l96AFXX9jVwI
         3/Mz57NE4+rWDrU+0cvDftfhudzlP/02nvrlw7SgzZapx9qzIadfCybp4F8lK0heXHTQ
         l+4dNz+w4MXTrqBsLide2jEYHBv/VQkRttDJXuIxAXE9CPI20YcrxoEHcpLN+1Arx67u
         A5nw==
X-Received: by 10.152.36.199 with SMTP id s7mr949115laj.48.1394623843521; Wed,
 12 Mar 2014 04:30:43 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.205.73 with HTTP; Wed, 12 Mar 2014 04:30:03 -0700 (PDT)
In-Reply-To: <CAPhkiZyEqcx+UTPzpyYjz9pxWJnCNDO9pUMQNxvTpnrxmez9nw@mail.gmail.com>
References: <CAPhkiZx=0Vr5p=7VZJD4PeD0ub-khSVMw3G03QhO8CC4xxm11A@mail.gmail.com>
 <CAGa2bXZTU5HzM4oXyiu0PnS=W2Oz1uLP_BnyWBUXyYUTO0tMYg@mail.gmail.com>
 <CAPhkiZz_d_wFPgwwYXJD-A+tz0Uf9KQ6uXNi1HhZGWFF1=W91A@mail.gmail.com>
 <CAGa2bXY86ri7b=rquo8Vbbh5ZoHOkwGBRoPWPup-SVPMu0WEgg@mail.gmail.com> <CAPhkiZyEqcx+UTPzpyYjz9pxWJnCNDO9pUMQNxvTpnrxmez9nw@mail.gmail.com>
Date: Wed, 12 Mar 2014 20:30:03 +0900
X-Google-Sender-Auth: ztud2MViqeC980W5-o5li3JqJr8
Message-ID: <CAGa2bXb5rLU26NDDHkWDw-FYf=vh2J=LAGFrqU3A3JJpOTY_dA@mail.gmail.com>
To: Andrey Andreev <narf@devilix.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0160bb12ca36b004f4672a8a
Subject: Re: Revert session_serializer_name(), session_gc()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0160bb12ca36b004f4672a8a
Content-Type: text/plain; charset=UTF-8

Hi Andrey,

On Wed, Mar 12, 2014 at 8:04 PM, Andrey Andreev <narf@devilix.net> wrote:

> On Wed, Mar 12, 2014 at 2:19 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> > Hi Andrey,
> >
> > On Wed, Mar 12, 2014 at 8:54 AM, Andrey Andreev <narf@devilix.net>
> wrote:
> >>
> >> > Users want to have contorl *when* gc is performed rather than luck.
> This
> >> > is
> >> > reasonable. IMO.
> >>
> >> I like control, it's nice and *I already have it*:
> >>
> >>     ini_set('session.gc_probability', 1);
> >>     ini_set('session.gc_divisor', 1);
> >
> >
> > Of course you can.
> > It does not look nice as API. API should have good name for it. IMO.
> >
> > session_gc() is useful for both low traffic site and high traffic site.
> > I don't see reason not to have explicit gc API. User may simply call
> >
> > session_gc();
> >
> > periodically by cron, etc.
>
> There's a very good reason not to have it, you just ignored most of my
> previous email which explained exactly that.
>

Users may abuse INI or API.
If you worry about abuse, it would be better to have API and warn users.

Users should purge deleted session data for security reasons. It is
especially important for low traffic sites. High traffic sites may need
periodic purge due
varying request rate. Not having GC API is API design bug.

If there should not be convenient API, file_get/put_contents() aren't
needed neither.

 >> >> And while session_serializer_name() is just redundant, session_gc()
> >> >> could cause performance issues.
> >> >
> >> > There is session_module_name(), why not session_serializer_name()?
> >>
> >> Why not session_cookie_lifetime()?
> >> Why not session_cache_limiter()?
> >> Why not session_entropy_file()?
> >> etc.
> >
> >
> > Those aren't changed by programs often.
>
> Oh, trust me - cookie lifetime is changed way more often than the
> serializer.
>

It's bad practice, indeed.
User should not change default 0 (session cookie - i.e. cookie only lives
in browser's memory and destroyed by browser termination)

If users need auto login or like, they should implement it properly by
using setcookie(). (i.e. Never use session ID cookie for long life session)

And how do you define often anyway? Sessions are something that are
> setup once, it's rarely the case that a programmer needs to change any
> of the session INI settings more than once in the same program.
>
> > As I wrote, 3rd party save handler implements their own serializers.
> > Not like above example, it is likely called with session_module_name().
> e.g.
> >
> > session_module_name('memcache');
> > session_serializer_name('igbinary');
>
> It's your opinion that this is "likely" done that way. I for one have
> *never* used session_module_name().
> And again, this is not something that people would write more often
> than once in the whole application.
>

It does not matter much if you use often or not.
As an API design, not having session_serializer_name() is strange.


>
> > It looks better than
> >
> > session_module_name('memcached');
> > ini_set('session.serializer_handler', 'igbinary');
>
> It doesn't look better than:
>
> ini_set('session.save_handler', 'memcached');
> ini_set('session.serialize_handler', 'igbinary');
>

I don't mind having discussion deprecating all API that modifying its INI.
I'm some where between +1 and 0 for this.

IMO, this is more explicit and more understandable for people who
> haven't read the manuals for the "custom" functions.
>
> > It's reasonable to have session_serializer_name(), since it would be used
> > with session_module_name(). API should have good name here, too.
>
> I'm again questioning whether session_module_name() is
> useful/necessary in the first place.
>

Now I think I understand your point of view.

 > We may discuss what we should do with module functions that modify it's
> INI.
> > There are number of them already. I think you need RFC for this.
>
> On this, I agree.
>

Consistency matters. I'm trying to be consistent with current way.

I'm tends to agree deprecating all INI modifying APIs ;)
Let's have the RFC, I'll vote +1 for it.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--089e0160bb12ca36b004f4672a8a--