Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:73158
Return-Path: <narf@devilix.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64486 invoked from network); 14 Mar 2014 10:44:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Mar 2014 10:44:13 -0000
Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.213.49 as permitted sender)
X-PHP-List-Original-Sender: narf@devilix.net
X-Host-Fingerprint: 209.85.213.49 mail-yh0-f49.google.com  
Received: from [209.85.213.49] ([209.85.213.49:58297] helo=mail-yh0-f49.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FD/35-47923-C7DD2235 for <internals@lists.php.net>; Fri, 14 Mar 2014 05:44:12 -0500
Received: by mail-yh0-f49.google.com with SMTP id z6so2293805yhz.36
        for <internals@lists.php.net>; Fri, 14 Mar 2014 03:44:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=devilix.net; s=google;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=FdSZtiBBW9ykk8pTjC7bZMfvQSLpK/vXUQd+98M2g9k=;
        b=uhTIIMMQKdsxT/xY+99DtsvqTmsBBsnf+LD4cWxD6u0i3bKiKW6QX/lrhCOY8TcvsX
         BKQ00PF2PSGiBzusaZPpmKO1kiorISg70YfZzuW/2owL2xIWLyQjOJ4gG7UeL1v3mlEb
         mI9unBRpW+0kpUfObE+KFofwOGOm0UOpXHc1Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=FdSZtiBBW9ykk8pTjC7bZMfvQSLpK/vXUQd+98M2g9k=;
        b=V+3kKNJuXq+uIBiA7GossL0FSkar6w5CL89JBp2s4ol73VasKpy/vGLzqEHUqLF4ma
         gOw2JcHK3S/s2CYCGQ0OMFKedcaWQCwto+2DvsXISDkJdZK0nue20Xfr+zquo2G3BK6D
         fTNAALEphHgbZ2QeB0O2RBt+F6TRGIcJREOttv2ZXw4JKg6P+X82QUkQ8ufFN97fYvQP
         mTR9SXh/Fs3HiyYFAaOTIJ38ODBSWixrQLfXyVVnMl3fYmsT+WQv1zAR3iRjKor5bPq5
         kBhwC+SFFxoVU1Etk9Gaw4KKWXeJj79gWGmnUW9hdhDqeq4FrGodngYFMSfYzzxdCAMt
         BssQ==
X-Gm-Message-State: ALoCoQmv9lhwyZp6PfMmwZq9nfIeVhZzOUfQ1m5QI8YmClw7TVID+z53t73FDRaqMnec/fc0G6Xg
MIME-Version: 1.0
X-Received: by 10.236.184.136 with SMTP id s8mr63082yhm.132.1394793849675;
 Fri, 14 Mar 2014 03:44:09 -0700 (PDT)
Received: by 10.170.188.139 with HTTP; Fri, 14 Mar 2014 03:44:09 -0700 (PDT)
In-Reply-To: <CAJ26g5STp=DeJ7u9k2Z97HG2+qG+knXOJ_7L1srtU03Ca3u_1Q@mail.gmail.com>
References: <CAPhkiZx=0Vr5p=7VZJD4PeD0ub-khSVMw3G03QhO8CC4xxm11A@mail.gmail.com>
	<CAGa2bXZTU5HzM4oXyiu0PnS=W2Oz1uLP_BnyWBUXyYUTO0tMYg@mail.gmail.com>
	<CAPhkiZz_d_wFPgwwYXJD-A+tz0Uf9KQ6uXNi1HhZGWFF1=W91A@mail.gmail.com>
	<CAGa2bXY86ri7b=rquo8Vbbh5ZoHOkwGBRoPWPup-SVPMu0WEgg@mail.gmail.com>
	<CAPhkiZyEqcx+UTPzpyYjz9pxWJnCNDO9pUMQNxvTpnrxmez9nw@mail.gmail.com>
	<CAGa2bXb5rLU26NDDHkWDw-FYf=vh2J=LAGFrqU3A3JJpOTY_dA@mail.gmail.com>
	<CAPhkiZyyXuqqybs+q8rnp_eJZDU0De2wMqwfv5mWiihr9GsueQ@mail.gmail.com>
	<CAGa2bXboo3CGOP9x+fW0Q98aniBcXejkGSJv5=qygL9ia67FbA@mail.gmail.com>
	<CAPhkiZzaTCE6sR=Rt=4VBmVOCo+uSQMREpf-fg6hWBrbCW+RXQ@mail.gmail.com>
	<CAGa2bXYWVoX_05BdS0M-V5G+B=4v-W-DPbWT8-vPrtd=gJtcCg@mail.gmail.com>
	<CAJ26g5TfiwjECNH_GbU6OCwCJdCCRJxKLUBL6wtw89XNo8P2eg@mail.gmail.com>
	<CAGa2bXbeucsEK2X1_wvtY_zMXs6guQAWxEMFhpjhyyOopq3sog@mail.gmail.com>
	<CAEZPtU6J01hP2+xjRUhTY9+rq9dTZyPOv9Mes_Xt0jiogsCE9w@mail.gmail.com>
	<CAPhkiZx3iUo=4cJYkB7KPcD8TMs79kvLBrnBdGUZ4YqTq-+h-Q@mail.gmail.com>
	<CAPhkiZx_ztbVXFm10_4MSQyqkBDYVqBiCmNBdF4k7N9fev5uLQ@mail.gmail.com>
	<CAGa2bXafxzFTMRfn16JNDgWm2tPQeuYE8cdqg9BbRsKSy3S1QA@mail.gmail.com>
	<CAPhkiZxO44Cj7h_NP-5_ZtixLuFoWJrtdPsRabJHP5yTOrCf5g@mail.gmail.com>
	<CAGa2bXbtMQ2cQoe-X1S=Ab05iS7yph9x6Kw5DjfsHdrNEjGF4w@mail.gmail.com>
	<CAPhkiZxdUFjWrRm7SAtagLmtZXPDbsXp9Cv13u2ChKLsuuxtgA@mail.gmail.com>
	<CAGa2bXZ458+diX3FFh3tw_W28y9MZpipmWrPfQ8obo-Z3n9S8w@mail.gmail.com>
	<CAPhkiZz8aH0H9-rJQxkQAzC_LgAPgy4c75uS74xiDZ_30H7DAA@mail.gmail.com>
	<CAJ26g5STp=DeJ7u9k2Z97HG2+qG+knXOJ_7L1srtU03Ca3u_1Q@mail.gmail.com>
Date: Fri, 14 Mar 2014 12:44:09 +0200
Message-ID: <CAPhkiZxRdPOJyWtktvcwN-=Bp2M=fBE9i8jG4WgTnZYysdvibg@mail.gmail.com>
To: Patrick Schaaf <bof@bof.de>
Cc: internals <internals@lists.php.net>, Pierre Joye <pierre.php@gmail.com>, 
	Yasuo Ohgaki <yohgaki@ohgaki.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: Revert session_serializer_name(), session_gc()
From: narf@devilix.net (Andrey Andreev)

Hi,

On Fri, Mar 14, 2014 at 12:30 PM, Patrick Schaaf <bof@bof.de> wrote:
>
> Am 14.03.2014 11:07 schrieb "Andrey Andreev" <narf@devilix.net>:
>
>
>>
>> This is broken, consider the following (multiple tab/ajax/whatever
>> concurrency) scenario:
>>
>> Request1: session_start(['read_only' => TRUE]);
>> Request2: session_start(); unset($_SESSION['logged_in']);
>> session_commit();
>> Request1: still logged in
>>
>> ^ This screams "danger".
>
>
> That is _not_ broken WRT sessions themselves, because the readonly session
> of request 1 will not be permitted to change session data (it is readonly)
> and as such the situation is the same as if request 1 completed before
> request 2 started.
>
> It _is_ broken when the session lock is "misused" as a lock wrt. other,
> nonsession data / database modifications / whatever else. In that case,
> using the readonly session feature or any other kind of different-lifetime
> session lock scheme is bad for the application - don't do that then.

It is not broken functionally, indeed.
It's broken by design - if I write session_start(), options or not, I
would never expect it to immediately close the session. It's highly
misleading and this will lead to a lot of abuse.

Cheers,
Andrey.