Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:89866
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 67613 invoked from network); 22 Dec 2015 09:23:28 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Dec 2015 09:23:28 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.171 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.160.171 mail-yk0-f171.google.com  
Received: from [209.85.160.171] ([209.85.160.171:35678] helo=mail-yk0-f171.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A8/9A-51216-F8619765 for <internals@lists.php.net>; Tue, 22 Dec 2015 04:23:27 -0500
Received: by mail-yk0-f171.google.com with SMTP id v6so157605146ykc.2
        for <internals@lists.php.net>; Tue, 22 Dec 2015 01:23:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type:content-transfer-encoding;
        bh=8I3BkPD57x8BZrPbBJed3hMBWK8zheUlbCUf1b/xclk=;
        b=bmsc7rsiS5TOqmDiOp83lEmZLkUwpDNFuXGwyzpsbBmBk2ph/HFOZUBoCRoFNqb14i
         geVeZL/r4w+S8t0HRk6fhFx73OgOoMAU9afZPGZHvkZWKFlUvLzIOdHoSeEzD5C+kXug
         nleJDsbOAmKqpMnboYynFk9y3JgJ/AUP2bW/+FXqAFVKWjUGAOSDADVvUcwdsagwWTI9
         PCO2ODoA3icpGZy8g4Dhcc08LjQbquX1UMOebY7/CHngQ2NsKxnvFcap73lVLx9c/VID
         tRO3iMLeixxxQRseEhp4L44Ve6b5CtiCTn+ynwdX/KCdt41OI5LCAT1Q1T+FZRWhi3DW
         5f2g==
X-Received: by 10.129.56.132 with SMTP id f126mr18324753ywa.220.1450776205073;
 Tue, 22 Dec 2015 01:23:25 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.13.218.2 with HTTP; Tue, 22 Dec 2015 01:22:45 -0800 (PST)
In-Reply-To: <F2DF56F7-C2D2-4F5B-8123-08C29681068B@gmail.com>
References: <CAGa2bXbg_kebBVg3tSh4uFHZ6nQXRbjUXNQa0JZx9sezQqb5kg@mail.gmail.com>
 <CAGa2bXaiqHvAxW4OdcAWfGk2KpMW9ZmZsODSK7W2p4j6_FL79w@mail.gmail.com>
 <CALrkBjaWRc-1=HKZOm3gOuRSNyjUuW94PdYDOdOg1sQOOqXXgg@mail.gmail.com>
 <CAGa2bXbJTjwdgL++o75tWir=HbCeioBVtyFyauD0et8CEjmnLg@mail.gmail.com> <F2DF56F7-C2D2-4F5B-8123-08C29681068B@gmail.com>
Date: Tue, 22 Dec 2015 18:22:45 +0900
X-Google-Sender-Auth: HOtXxg81O18uBuMzNQFq_5_0QN8
Message-ID: <CAGa2bXYFCc5+th5kZ-Svdz5a97TEzkPo5Wh9g0LvGoxxNZiaHg@mail.gmail.com>
To: Grzegorz Zdanowski <grzegorz129@gmail.com>
Cc: Mike Willbanks <pencap@gmail.com>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] [RFC Discussion] Precise Session Management
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Grzegorz,

On Tue, Dec 22, 2015 at 5:42 PM, Grzegorz Zdanowski
<grzegorz129@gmail.com> wrote:
>> On 22 Dec 2015, at 06:37, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>> (=E2=80=A6)
>> From user point of view, $_SESSION['__SESSION_INTERNAL__'] is a new rese=
rved/
>> restricted session key.
>>
>
> Personally I think it=E2=80=99s a bad way to handle such thing. Adding ye=
t another =E2=80=9Emagic=E2=80=9C
> keyword/reserved field is going to make current situation worse.

Current situation is bad enough already. I've tried to advocate proper sess=
ion
management including "strict session ID management" for years w/o success.
i.e. session.use_strict_mode=3D1
I think enough time is gone by already.

The same argument applies to CSRF protection. I'll add automatic and site w=
ide
CSRF protection by using internal session data structure in the
future, hopefully
for 7.1.

> I know users should not use names starting with __, but in reality I see =
them
> almost everyday. I even seen __SESSION_INTERNAL__ used once.

Thank you for good feedback.
I may use more cryptic name for it.
Any suggestions?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net