Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90940
Return-Path: <danack@basereality.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34508 invoked from network); 26 Jan 2016 15:05:50 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Jan 2016 15:05:50 -0000
Authentication-Results: pb1.pair.com smtp.mail=danack@basereality.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=danack@basereality.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain basereality.com from 209.85.160.179 cause and error)
X-PHP-List-Original-Sender: danack@basereality.com
X-Host-Fingerprint: 209.85.160.179 mail-yk0-f179.google.com  
Received: from [209.85.160.179] ([209.85.160.179:33740] helo=mail-yk0-f179.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BF/C7-10534-D4B87A65 for <internals@lists.php.net>; Tue, 26 Jan 2016 10:05:49 -0500
Received: by mail-yk0-f179.google.com with SMTP id k129so203172550yke.0
        for <internals@lists.php.net>; Tue, 26 Jan 2016 07:05:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=basereality-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=tsoqL2r/kfjP8ZfcwMADyDuq8d1hPcWdN2T/ftmphkQ=;
        b=ZRrKf+eSKrB7j783mFH0RMrKLKrTshlm1bwsoaxQzV6qmdMgDzl73UFT6YutbCO5eR
         DrkVa4sCBeOdMmkaVDeR5UR88ULQvVJIN12KPepbixzA9oaZoNlzwWW117P+PZV1BYFt
         QfIwe5qhNG8pdfbsaJGxnsbuCuTCiNNa6rMd51hNlUN5dF309tp+nP0NJ1/beDcRVP43
         hAzm9b25x5kNu04GEl10gLXo7W0CzIH9mCRmkj0OD0X/W6fQvc4Rb3BZ7Dnm47Pj8NAw
         Ke5MqmqCY5ErflaveNuUHrAlHfw0p/WMV2BI8+LbRxz1pYgPEyptG1Kumbs5eCNDcOBU
         mhXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=tsoqL2r/kfjP8ZfcwMADyDuq8d1hPcWdN2T/ftmphkQ=;
        b=aCVHZWq8kF4vAbZ+WonrYEjVfcE6434/osUcOdjUUYHvnsA/YgYofjgzrIT9zMtBdH
         z/F6ZBMH1oRU0GSUJCwPvERooR8VUFZ6+Bmxm4DUr45MUm4t5UjRTNcCkJ5Ttk1gVDxO
         unVfC9u5ya7vNbfQUAsPZw86G9M3qC55msexJHhjjNg2CApRwf/+NF/aFKI/bsmClj1B
         DjsnMRaUrAxT2QmaPLZjkKXjm5STQ1QBpetCehQxh/pzGC52MkgN+XvQuOBKG6JVInQQ
         djw8mqdSCVxyyeO//RBzTAHdHvmhlpdgTu6rLjxLnQMAkFGZdlLVR9CNVTBXAWmtlDKI
         Wb/g==
X-Gm-Message-State: AG10YOQOWimbQYpTVWyivjg9Al040iRV7sHvbVMvEDMOvZb02iNJFue9e2xjSapN++gnSN/T4ZuCS0qORDsSYQ==
MIME-Version: 1.0
X-Received: by 10.37.76.7 with SMTP id z7mr9994589yba.164.1453820746344; Tue,
 26 Jan 2016 07:05:46 -0800 (PST)
Received: by 10.37.83.131 with HTTP; Tue, 26 Jan 2016 07:05:46 -0800 (PST)
X-Originating-IP: [78.145.240.77]
In-Reply-To: <CAGa2bXZ3gFegniSBCtfnnrrotbdCh+MjGufC11nYhd7kH31tuQ@mail.gmail.com>
References: <CAGa2bXbg_kebBVg3tSh4uFHZ6nQXRbjUXNQa0JZx9sezQqb5kg@mail.gmail.com>
	<CAGa2bXYZXkCJwFKVwaNfV+OEw0FzeFFbtxLm0zRmFVE_b4xsMw@mail.gmail.com>
	<CAGa2bXbRJMZFcXfZc9o7YnAhkDRfYKPjO+10k-eKXdoGNTREbg@mail.gmail.com>
	<CAGa2bXYGpV=P-680ig1LOkYWsSRS-Ya2rYVa3wo3vrxdT=zwiw@mail.gmail.com>
	<56A727C3.9070505@gmail.com>
	<CAGa2bXYj6iCvKqcpf_p6Dm_TNOxtVozry=AONKWu9-VKzb_FHw@mail.gmail.com>
	<CAGa2bXZ3gFegniSBCtfnnrrotbdCh+MjGufC11nYhd7kH31tuQ@mail.gmail.com>
Date: Tue, 26 Jan 2016 15:05:46 +0000
Message-ID: <CA+kxMuR=JQugpLhG2ghGtAbwO=JBvKsAaFU2AqNRw++3unJ9MQ@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: Stanislav Malyshev <smalyshev@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC Discussion] Precise Session Management
From: danack@basereality.com (Dan Ackroyd)

On 26 January 2016 at 12:17, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> I'll appreciate if one could find defect if there is.

The problem is that you're trying to build on a foundation of sand.
The session handling works but is incredibly fragile.

Or to put it more colloquially this is a "how to get to Dublin
problem". To get to having a more secure and reliable session
handling, we need to start from some where else, not just keep
building on top of the current session handler code.

The proposed RFC is not a good way to proceed. Having functionality
depend on setting values in an array like this (as far a I've
undertood the RFC):

// Resend new session ID once. This will reduce chance of client
// race and lost session by unstable network to acceptable level.
$_SESSION['__PHP_SESSION__']['NEW_SID_SENT'] = time();

is not a sensible way of programming imo. Additionally, changing code
that is apparently very fragile and so breaking people's applications
in subtle ways, is not something we should be doing.

> Anyway, we may be better to talk about how it should be.
> For this thread, how session management should be.
> It's just not good enough currently.

To me, there are two good ways to proceed:

i) Develop a new session extension, that doesn't depend on magic
behaviour of globals and leave the current session handler as it is.
The new session extension could be shipped as a 'work in progres' when
it's good enough, before PHP 8. Then when it's stable, we could figure
out how to transition users from the old extension.

ii) Develop a session handler in userland code only. PHP is powerful
enough to support this. Although obviously there are big benefits to
shipping a session handler with PHP, I don't see any need for it to be
done internally other than we don't currently have a way of shipping
userland code with an extension. I'm hoping that before PHP 8, the
ability to ship PHP code as part of extensions would be in place.

Either of those two would be feasible. The proposed RFC doesn't appear
feasible to me.

cheers
Dan