Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73191 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4491 invoked from network); 16 Mar 2014 06:12:30 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Mar 2014 06:12:30 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.47 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.215.47 mail-la0-f47.google.com Received: from [209.85.215.47] ([209.85.215.47:41413] helo=mail-la0-f47.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 73/B0-32849-CC045235 for ; Sun, 16 Mar 2014 01:12:29 -0500 Received: by mail-la0-f47.google.com with SMTP id y1so2811263lam.20 for ; Sat, 15 Mar 2014 23:12:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=ddLesfPVYXGy/hfgrh1d4kwy30NBdYXqU4X4wBIPeMo=; b=vokhwquu/Djpp4IcGK9lSAp36evVVp+xVBJHKhBenvepeBukgroGFDNbDTM11ovyoB oG9EDmBS+/WXdX7PB1OIlgciyctNL6o3JO7SP958pD5jcjUOYt0SI+hxl+9tXWKlWarb JoMQdUob0ZE1G84R1JbaXpTT6eNJMisTunStKHOwLNmf8SqHATVx9mSo2HL4NB2kDCA/ JOkp4DAUiHDm0NATQz+FGcos+NcizjmuEcKjrMqRWCNf2RJfVRBvHF5HvDZ4i5Q0W1yC WvkbUcZziNmVPkk5pistOGEYJ7HkE8OjPXZeavk8Z6uU0LfNevBUg0vbNeLfEvnn9f/S G35A== X-Received: by 10.112.28.82 with SMTP id z18mr11352392lbg.18.1394950345548; Sat, 15 Mar 2014 23:12:25 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.205.73 with HTTP; Sat, 15 Mar 2014 23:11:45 -0700 (PDT) In-Reply-To: References: Date: Sun, 16 Mar 2014 15:11:45 +0900 X-Google-Sender-Auth: uzKWHZ3wETN8lu0D2nlcwJcnsRM Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1133e8ecd3693604f4b32f59 Subject: Re: [PHP-DEV] [VOTE] RFC: Introduce session_start() options - read_only, unsafe_lock, lazy_write and lazy_destroy From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1133e8ecd3693604f4b32f59 Content-Type: text/plain; charset=UTF-8 Hi all, On Fri, Mar 7, 2014 at 5:34 AM, Yasuo Ohgaki wrote: > Hi Peter, > > On Mon, Mar 3, 2014 at 7:56 PM, Peter Cowburn wrote: > >> Is this vote still in-progress? The RFC page says yes, but the closing >> date has long-since passed. > > > Thank you for reminding. > Proposal 1 is passed 9 vs 1. > Proposal 2 and 3 is declined 1 vs 7 and 1 vs 6. > > Lazy deletion is design bug fix. This issue cannot be solved without > delayed deletion due to technical reason of current web technology. This > also involves session security. Current implementation allows attackers to > exploit stolen session as long as they want also. > I'll come back on this issue later. > > Thank you for voting all! > > Modified patch for this RFC is here https://github.com/yohgaki/php-src/compare/PHP-5.6-rfc-session-lock There may be leftover still. I'll check it again later, but it's appreciated if you find any. Someone asked if I'm going to allow to change all of session INIs by session_start(), I think it's good to have. I would like to implement this as hash of INI options and handlers like "option_name" => function_of_INI_modify_handler; This way, I can iterate parameter array easily/efficiently, can change INI values easily/efficiently and raise appropriate errors. Any comments for this? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1133e8ecd3693604f4b32f59--