Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:77399 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71495 invoked from network); 21 Sep 2014 00:22:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 21 Sep 2014 00:22:59 -0000 Authentication-Results: pb1.pair.com header.from=narf@devilix.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=narf@devilix.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain devilix.net designates 209.85.219.50 as permitted sender) X-PHP-List-Original-Sender: narf@devilix.net X-Host-Fingerprint: 209.85.219.50 mail-oa0-f50.google.com Received: from [209.85.219.50] ([209.85.219.50:39680] helo=mail-oa0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D2/D2-55126-16A1E145 for ; Sat, 20 Sep 2014 20:22:59 -0400 Received: by mail-oa0-f50.google.com with SMTP id jd19so2861089oac.37 for ; Sat, 20 Sep 2014 17:22:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Kq6q3X/3yCBpV1xQsecAV39X+tZet6CJVwtdXTK8Euo=; b=slwxsHqfa4ttIEov58LJvhtqabNWHxaNeRcp6uWt6ZQdc/7riWq61Mpp90AQDo2Gj9 LV6sfw7A7RHjLRbBeLPbcFQkySBKKj4ULUS0GnasnDgqjY9E7aCekjXB90ZGC0Mbo7PM 6McvWPtPSVEASZoG6wG12CoLLaZpYuhrItA1c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Kq6q3X/3yCBpV1xQsecAV39X+tZet6CJVwtdXTK8Euo=; b=bsL1iT/ESoMigGjYdTr+E/DVotUC7elTxPewYw4u7XrVdC/KAbeC/xuDz+AXnz50zh deoS156i/FwH4CFXVAK+8nbOUOPW3u0x6gIfXXP6hZEgUcBCbf+JXTchwPLUYSM/TJBp VvWdtRo7pwolSBsRbZpLGxYD9ajhz/gCppVtJD8NkZT8hoQI9Sy22of6q+S9lOqPFK35 rqTysRX9Ka89v5I13YAhbFOpkUsV/QTALGO9iwjGXOXFC58FxxxpEPxbgOBKRblWIm0G Mo2kLSX8JJXImyzR+vKfRJm5KWE+v5E0u1VWwxZBUF9p1eQRWyy5MCxWLhrI3QilDW+x QhsQ== X-Gm-Message-State: ALoCoQkcBuxNKSuXSQy4ftJa8cdA9GwKvc7eYQqsfz3P77DNUKZCwFWp4aD5X2oK/VPAuVyQq+5I MIME-Version: 1.0 X-Received: by 10.182.209.101 with SMTP id ml5mr18062814obc.2.1411258975138; Sat, 20 Sep 2014 17:22:55 -0700 (PDT) Received: by 10.202.75.205 with HTTP; Sat, 20 Sep 2014 17:22:55 -0700 (PDT) In-Reply-To: References: Date: Sun, 21 Sep 2014 03:22:55 +0300 Message-ID: To: Tjerk Meesters Cc: Florian Margaine , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] Bug #68063: session-related, how to fix it? From: narf@devilix.net (Andrey Andreev) Hi, On Sun, Sep 21, 2014 at 3:12 AM, Tjerk Meesters wrote: > >> On 20 Sep, 2014, at 11:35 pm, Florian Margaine wrote: >> >> Hi list, >> >> I saw this interesting bug: https://bugs.php.net/bug.php?id=68063 >> >> Basically, if `session_id('')` is run before `session_start()`, weird >> things happen. >> >> The bug reporter proposes 2 ways to fix this: >> >> - `session_start()` should silently fix the situation > > I would opt for this, if an invalid session id is given a warning should be emitted and a new id generated. > >> - or `session_start()` should noisely fail >> >> Both solutions look fine to me, but I'm not sure what PHP should do. Should >> it be resilient and silently fix the situation? >> >> Regards, >> >> *Florian Margaine* A warning triggered by a session_id() might make sense, but not if it is the cookie that's invalid. Cheers, Andrey.