Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:85345 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64502 invoked from network); 20 Mar 2015 22:13:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Mar 2015 22:13:34 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.52 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.218.52 mail-oi0-f52.google.com Received: from [209.85.218.52] ([209.85.218.52:33699] helo=mail-oi0-f52.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 12/D2-64120-38B9C055 for ; Fri, 20 Mar 2015 17:13:26 -0500 Received: by oifl3 with SMTP id l3so72425911oif.0 for ; Fri, 20 Mar 2015 15:13:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=4I51M/HvpWC3/uGrghOFEqjws+NAwCVs3idQwERx5Qg=; b=lOS6F9j+T0cVJRHf5bxMCEL4CFSQXM2VXs19jAi37AByMJ+/x7YlpeVNwuQ/287RS+ qHmYsPRUtCynK2zXsQm4uwbkTjMCHNKejIua3L4HqiZ0wfDHFbsLSHHu78GaFIYdRnoI kUM5fUDg0BIsucA7dmCzlDpu0N5CGqFrkHCS+nKvOhI4UZS1rN4cdwyi86AnKdTGrdGc eLW4Uu0IljLRV3O1gSNRspdykkyKlcIebpXe5VO2a/lFzicmGMDr4Am3yLwD1KP3n3bD 2+5n84hy+tKTqJkOx9S7jAlc2yWbEHEfS//iKRpVS01IKiuFAAANsAN8zt5NVaM/He8R oL3g== X-Received: by 10.60.174.19 with SMTP id bo19mr30055928oec.5.1426889593121; Fri, 20 Mar 2015 15:13:13 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.202.58.2 with HTTP; Fri, 20 Mar 2015 15:12:32 -0700 (PDT) In-Reply-To: References: <20150320101241.GA69273@mail.digitalsun.pl> Date: Sat, 21 Mar 2015 07:12:32 +0900 X-Google-Sender-Auth: jgrBaMlN97ZCxMfk35yMm95slHc Message-ID: To: Mateusz Kocielski Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=089e0118236254f52b0511bf9f24 Subject: Re: [PHP-DEV] Re: Bug #69127 session_regenerate_id(true) randomly generates a warning and loses session data From: yohgaki@ohgaki.net (Yasuo Ohgaki) --089e0118236254f52b0511bf9f24 Content-Type: text/plain; charset=UTF-8 Hi all, On Sat, Mar 21, 2015 at 6:43 AM, Yasuo Ohgaki wrote: > Please note that if destroy fails, then new session is not generated, >> possible (but ugly) solution is to call session_regenerate_id again. >> > > It just does not work. > How do you keep session for lost session? > > Lost session occurs like > > 1. Server executes session_regenerate_id(true), delete old data and send > new session ID with copied data to browser. > 2. Unstable network lost packet that sets new session ID. > 3. Browser thinks old session ID is valid, but there is no session data > for it. > > Besides, there is issue that session data must be deleted may keep alive > forever. Current session management is not predictable and precise at all. > > If there is better idea other than the RFC, I appreciate it. > One more additional note. Databases use 2 phase commit to synchronize multiple databases. Similar method cannot be used because HTTP is stateless. i.e. Connections are closed. Even with HTTP/2, user may have multiple independent connections, i.e. multiple tabs, and there is no lock mechanism. It just cannot work. Therefore, 2 phase commit cannot be used. I cannot think of perfect locking mechanism that synchronize server and browser. i.e. Locking can be done by using additional cookie, but I cannot make sure browsers has synchronized time. If there is reliable locking, synchronous session management can be done. Even if there is, it would cost too much. e.g. Time consuming and too complex for the purpose. Ideas are appreciated. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --089e0118236254f52b0511bf9f24--