Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73215 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 99193 invoked from network); 17 Mar 2014 11:10:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Mar 2014 11:10:10 -0000 Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.160.176 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.160.176 mail-yk0-f176.google.com Received: from [209.85.160.176] ([209.85.160.176:39358] helo=mail-yk0-f176.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DB/43-17561-118D6235 for ; Mon, 17 Mar 2014 06:10:09 -0500 Received: by mail-yk0-f176.google.com with SMTP id 19so14533605ykq.7 for ; Mon, 17 Mar 2014 04:10:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=9PXaWZf1pKiZ1ao8GUfAtL3aufGlCOXqts761HdbY8o=; b=QLDMXSGAcRhj2w7/q9ba3FUTRTHUd669/+w86laQPXAtwUXj2cH3znGjRQREScSkgy K+UK9ARIAEcd7ESAwEg7e2pIkokM0Q08s2MfKQAR2Za6zH4xZU8z3/zZYgTlWejsUBTl 40xZlwUmIks/WF92kUiIv7rrCc/JVIVVUO8Yo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=9PXaWZf1pKiZ1ao8GUfAtL3aufGlCOXqts761HdbY8o=; b=T5xgLTqoyPXOtX7YU4HoOVlHjFSn0FqAL4I2anSwY+En3D7JYSYWGV5qGN2tkAisL5 JsOumc8GxRz0cTuOI96UVYJIchol5hSCYcwK+e53qJfI/NhuASHlW0ewSr4FgdgAAdkS ufPRUn1dtf/V7KH66d/Mx6/gPbdRIOXYvTb3Kx0ZleO/QlnmpqJ6us8TkI3TGotNO8OV HD7v/dWNXOBrFBIJS4NxcZD/pjogQLboRHGZmeyhsnctMXoGhG3ULSoMsYX6Rd6w4skk Zc2kXQp34Eas5QZgSI9gCfxci5tLSf8wYgwIBHXyICExV11ODbmzIo7UJGuej1QeiLCU 1Wmw== X-Gm-Message-State: ALoCoQmyPS9QKcgI2+huOylsWSI5Ak3FdSzZm7S2I+hDqACE5wY7nNY5pQTZR26U7z70tf2CQqv5 MIME-Version: 1.0 X-Received: by 10.236.191.67 with SMTP id f43mr32509609yhn.60.1395054605941; Mon, 17 Mar 2014 04:10:05 -0700 (PDT) Received: by 10.170.188.139 with HTTP; Mon, 17 Mar 2014 04:10:05 -0700 (PDT) In-Reply-To: References: Date: Mon, 17 Mar 2014 13:10:05 +0200 Message-ID: To: Yasuo Ohgaki Cc: "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Session: deprecating create_sid() method and add createSid()? From: narf@devilix.net (Andrey Andreev) On Mon, Mar 17, 2014 at 12:51 PM, Yasuo Ohgaki wrote: > Hi Andrey, > > On Mon, Mar 17, 2014 at 7:23 PM, Andrey Andreev wrote: >> >> There's no SessionHandler::create_sid() or >> SessionHandlerInterface::create_sid() documented (see your own link to >> the docs) ... since when is this available? >> >> I'm not sure if exposing it is a good idea anyway, why is it necessary? > > > This change is not mine. It was added about 10 years ago, IIRC. And for 10 years is has not been documented? Really, are you sure that it is exposed to userland at all? > Having createSid() could be useful. For example, user may have certain > prefix for session > IDs. User ID prefix is especially useful to know how many active sessions > are there. > (Note: I advise to use MD5('user_id'.'random_secret') for user ID prefixing > if user_id > shouldn't be exposed.) Surely that prefix can just be prepended to the $session_id that gets passed to read(), write(), destroy() methods. This argument was given to me when I proposed a session.match_ip feature. Why not add this as an option to session_start()? Example: session_start(['id_prefix' => 'foo_']); (could be an ini setting, for optimization purposes) > I've added session_create_id(). Therefore, if user start using it, it does > not hart much. > If users do not need modified session ID, they may call session_create_id() > simply. Again with the "I've added this", that I opposed previously for session_serializer_name(), session_gc() ... What's session_create_id() useful for? How would you utilize it? > The reason why this is added is Stefan Esser's strict session patch had > this, I guess. > However, his patch was not fully merged and session remained weak until > 'use_strice_mode' > patch. Now I'm confused ... is it added to the core, or just supported as a part of the suhosin extension and/or hardening patch? Cheers, Andrey.