Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90966 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14746 invoked from network); 27 Jan 2016 06:26:33 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jan 2016 06:26:33 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.182 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.160.182 mail-yk0-f182.google.com Received: from [209.85.160.182] ([209.85.160.182:34669] helo=mail-yk0-f182.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 03/B2-28185-81368A65 for ; Wed, 27 Jan 2016 01:26:32 -0500 Received: by mail-yk0-f182.google.com with SMTP id a85so229674482ykb.1 for ; Tue, 26 Jan 2016 22:26:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=3igCwSkL4Suud5q+Ql4t10W3I0FYewdPi2xFU8MD8wU=; b=EJmdaqbPlj/Z7gg+xio7u+o2BnDlCw1QdgQ5SzKYeyx6NWtoRyxfunezg8skTZ1SVF L6ow6zzbow3v16ZLl/AKDmvt0BLl+oms/n1Y6p9nXUKJrEl39VGs+lXcs6xrkdKnfO1w I8rshBIp6Bjsxq7gsG9nr6BvC4kQa5mrYzuFNXn9bYP2UzF7d3ouN+otKZL60twp+Kkz IL7zIyBgN8BiumZGndGuo9eRA0sRBHE2sAXiYzFMgqdus6dlw1EvSiXp6/niT0oyL3/V Mh5qIBYTEWZ85IkoS0eul/Okn5qbFEHBHyF5KvNHH7P8rAwIhN/q7BS7b8pmfmKClk0B 8hvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=3igCwSkL4Suud5q+Ql4t10W3I0FYewdPi2xFU8MD8wU=; b=D2VoXi/x5bZm39CuLybUphgb6W1/hMECkpHbq/hYmibyS3jlRNMo5Xytg85zVJo3Xc L/0i3DMZmI0vNJGjMqcUQhQ+4BsxA88MoGnvzFezqbORIZpfMSdunDntQ2PQP4P5zzCC WbUxtGgVjejpftlpSBOLR3FN8ya/SloXXFodi96kbry48SVgx9fCPMzwpCI6zq+xySWU EdLzw/YTCaknzwuRs4k2eNPQ5RMPVrbpDG5X6Ah4PlABeP9XPgcWQFO3XikQ8qdvuAIu t5j1VwYDyNUM6scTlCiko5ZDChbY/ApVY5pWteM1OAaAickPUfXGJYAYay7eewlpUhR+ BEpA== X-Gm-Message-State: AG10YORE6gD3quA03oC6ydW67hvOCo+oW3OLCb5R4l9un3ecGx13EKrhrFb49SXxMqtGWdlKqIWIrQBc7QGhCg== X-Received: by 10.129.128.193 with SMTP id q184mr6746834ywf.220.1453875989481; Tue, 26 Jan 2016 22:26:29 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.129.88.139 with HTTP; Tue, 26 Jan 2016 22:25:49 -0800 (PST) In-Reply-To: <56A85967.4090603@gmail.com> References: <03a501d15439$fcbf9ca0$f63ed5e0$@php.net> <56A1054A.5080102@fedoraproject.org> <56A2069B.2050007@fedoraproject.org> <56A21D68.6030403@fedoraproject.org> <56A825A9.9020706@gmail.com> <56A85967.4090603@gmail.com> Date: Wed, 27 Jan 2016 15:25:49 +0900 X-Google-Sender-Auth: __QlwZmY00Gt_E83ESGTJMaiM0s Message-ID: To: Stanislav Malyshev Cc: Remi Collet , "internals@lists.php.net" , Yasuo Ohgaki Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] PHP 7.0.3 RC1 is available for testing - **** BC break *** From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stas, On Wed, Jan 27, 2016 at 2:45 PM, Stanislav Malyshev wrote: >> Note for this issue. >> The change does not breaks normal codes as PHP cannot set new session >> ID when header is already sent. The session is _not_ accessible >> anyway. Not writing orphaned session does not matter at all. > > So it looks like this particular breakage is because write does not > happen when cookies could not be sent. However, it is not necessarily > true that session is not accessible in this case - session ID can be > passed by other means, not only via cookies, and it also may be existing > session ID. The second part of this test opens session with known ID, > but write still does not happen. > I think assuming that if cookie sending failed then the whole session > failed is dangerous. Also, removing session write is a pretty serious > change, I'm not sure this should be happening in a stable version. It's correct. I ignored trasid because of severe security bug in it that you should know of. (This is for others. We've been talking about the fix off this list. Please don't use transid or use it with extreme care with URL outputs. It's broken for a long time.) So correct behavior would be if transid is enabled and use_only_cookies is disabled, write session data. So the code should be if (!PS(use_only_cookies)) { php_session_abort() } Good point! >> If you understand exactly what is happening, it is understandable this >> is not a BC for production code, but only breaks test code that >> inspect session behaviors and it found out bogus write() is gone now.> >> Anyway, to fix existing app/framework unit test failures, (it's not >> fixing anything but leave bogus write(), though) >> removing php_session_abort() from php_session_cache_limitter() should be enough. > > Yes, this patch: https://gist.github.com/smalyshev/4d8435b7993bef80c0ed > fixes it for me. Remi, could you check that it also fixes the failures > in the test suites? Thank you for verifying it. So question would be if we are going to revert part that breaks unit tests (or even discard all patch that returns correct session_start() return value and save handler abuse crashes), or add necessary "if" statement to return correct value. One could argue if cookie cannot be sent, it should fail, but I think it's OK to return TRUE if session could persist via transid. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net