Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:78560 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 54102 invoked from network); 2 Nov 2014 13:49:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Nov 2014 13:49:19 -0000 Authentication-Results: pb1.pair.com header.from=danack@basereality.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=danack@basereality.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain basereality.com from 209.85.212.181 cause and error) X-PHP-List-Original-Sender: danack@basereality.com X-Host-Fingerprint: 209.85.212.181 mail-wi0-f181.google.com Received: from [209.85.212.181] ([209.85.212.181:35208] helo=mail-wi0-f181.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 72/04-13276-E5636545 for ; Sun, 02 Nov 2014 08:49:18 -0500 Received: by mail-wi0-f181.google.com with SMTP id n3so4477619wiv.8 for ; Sun, 02 Nov 2014 05:49:15 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=9clxYwHLSUz7fojQlcN2b+0f6Kd6D9duEyQL5ecsKw8=; b=jipQPuTVyMxg5OmOqYa23P6QUn0iIDnDepAckaK9Ch+QwWuLZYJwEfcKq6Z86wtsqF A9HeNsSvh9hQsQx/kluFJesi8IMtoSFf1A37jtBTA2V3NTofB043EreWvbaz7AM3VCZ+ fBXz04IuFPKhe0309e+BntoLgHrGqK0cW4uSK3Kw+8UnNBaAPh1k/oZBQu5X9OPvarUE qbobQjKJ3ct7iaRu7/yi8t7vJUyiaZx9YWwk4saPFbeE29VgqFRHQQGKS1o2lMRZf6a+ e+mK3U03pkWOG7/BmMfNZtsQhzfrvLWiLF8J/vXuax9t1WtGSUDIZ+GaHjQuAYBQifYM EzqQ== X-Gm-Message-State: ALoCoQlrpwdO8W0iQRqgbkCwSHgNyD6lIp0mt3Ee2rQows9qC/yKItTBG5aC8RZXhme6WNQIrGcR MIME-Version: 1.0 X-Received: by 10.194.205.132 with SMTP id lg4mr3208691wjc.84.1414936155657; Sun, 02 Nov 2014 05:49:15 -0800 (PST) Received: by 10.216.11.70 with HTTP; Sun, 2 Nov 2014 05:49:15 -0800 (PST) X-Originating-IP: [2.99.239.194] In-Reply-To: <581CB00C-59B7-4263-8533-D7DCB54C806E@ajf.me> References: <545554F7.70906@gmail.com> <581CB00C-59B7-4263-8533-D7DCB54C806E@ajf.me> Date: Sun, 2 Nov 2014 13:49:15 +0000 Message-ID: To: Andrea Faulds Cc: Rowan Collins , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] setcookie() minor BC break - fixes issue #67736 From: danack@basereality.com (Dan Ackroyd) Andrea wrote: >Perhaps it would be worth ditching any attempts to change setcookie() (jus= t keep it around for backwards-compatibility), and to instead add a new fun= ction, function family, or indeed class for cookie handling. > >Thoughts? Any idea what such an API might look like? I think this API could and should exist totally in userland. Although it's nice that PHP ships with basic session support with it, the exact details of session handling actually involve non-trivial business logic * What happens when the users IP address changes? * What happens when a user tries to use session ID that has been invalidated through session regeneration 2 seconds ago, 30 seconds. * What rules should be applied to check the session integrity e.g. user-agent checks. All of the above can be done 'trivially' in userland. There is absolutely no need to attempt to put the functionality for this in core. cheers Dan On 1 November 2014 22:24, Andrea Faulds wrote: > >> On 1 Nov 2014, at 21:47, Rowan Collins wrote: >> >> On 01/11/2014 21:10, Alexander Kurilo wrote: >>>> What should be done? Trying to keep BC at a minimum by adding an >>>> unsetcookie() method and add warnings? Try to detect the deletion of >>>> cookies (empty value) and add warnings to keep even more BC? >>> Just in case: I believe cookies are removed not by setting an empty val= ue to them, but by setting their expiration date to a timestamp the past. >> >> My first thought on seeing unsetcookie() as a name was that it will lead= to a lot of confusion as to what it actually does; if you didn't know abou= t this discussion, would you expect it to: >> >> a) remove a Set-Cookie header which has been added to the current respon= se (the actual behaviour required to avoid the behaviour that SHOULD NOT be= done according to the RFC), leaving any cookie the remote UA has stored un= touched? >> b) add a Set-Cookie header to the response to expire an existing cookie = the remote UA might have stored (a useful feature, but unrelated to this bu= g)? >> c) replace any existing Set-Cookie header with that cookie name with one= which instead expires that cookie (i.e. both a and b at the same time)? > > I=E2=80=99d expect it to do (a). But I can see your point with (b) and (c= ). > >> What seems to actually be wanted is more like replace_cookie() - "I aske= d you to set this cookie earlier this page load, but actually set this one = instead". Or, equivalently, some change to setcookie()'s parameter list to = allow this behaviour, as others have suggested. >> >> There is already a lot of confusion around the difference between the co= okies in $_COOKIE and those set with setcookie() (i.e. that your new cookie= won't show up in the superglobal until next request). The idea of removing= something from the list of cookies which are queued to be set by this resp= onse is not something that's easy to explain clearly in that context, so I = think the naming and documentation of any such feature needs to be approach= ed very carefully. > > Perhaps it would be worth ditching any attempts to change setcookie() (ju= st keep it around for backwards-compatibility), and to instead add a new fu= nction, function family, or indeed class for cookie handling. Some sort of = sane API which would allow you to do a, b, or c, and make it clear which yo= u wanted. > > Thoughts? Any idea what such an API might look like? > -- > Andrea Faulds > http://ajf.me/ > > > > > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >