Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:91881 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49643 invoked from network); 23 Mar 2016 23:06:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Mar 2016 23:06:56 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.67 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.213.67 mail-vk0-f67.google.com Received: from [209.85.213.67] ([209.85.213.67:34417] helo=mail-vk0-f67.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3D/E1-36618-F8123F65 for ; Wed, 23 Mar 2016 18:06:55 -0500 Received: by mail-vk0-f67.google.com with SMTP id e6so3287968vkh.1 for ; Wed, 23 Mar 2016 16:06:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=aePlfb53TdsCj5+JVHR5GYbcQMLvQgN8Rr2eul7Q0jQ=; b=tQpUcYpLRIzOTTEfnkpyUki8nC4uYHdy/I0xQ0XG88djWjYVCAJuAxN+EK3pMpbFND wGrvZ55JFzRQbFWtKlZhDkg2asDIwO+1qfHPXlusLTI2k92XbPIdos/hva3Da7CYpxvW a5Wkdv52eKt0Pnn24s836fmeK1q5tb6hayBK/YEUdNN97T1QvEmhCH2z9U6QLXITdr/0 N8rfEzEKSrO4WraZ6FN58XK9ow3sG5my6J/lmkHi8g6XMxDo1fQxE2THoRCX99MBdVXQ hFgUnbIv20oG049+scjIoVME5n0xSzj7I+Y75I4Aajzth5I0FLnCevMy0UtwHEzf/NJO GcSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=aePlfb53TdsCj5+JVHR5GYbcQMLvQgN8Rr2eul7Q0jQ=; b=Zm23NLwwAArib86l4rJ49us4dU35uS6vc+6QUUOzXeaEX447hGH3Yym2wVT76kkkjY HODV8Q1Bv+LOsoeEG/17NIfIkYf7kHdtuYRBR4QZH2CpmkHmfZgD7w+fbEWlA3TJXSOI wgrUQSjcbHhk6ELT3mD1Y/IbU6XwJEPNgxW+BCpjproE6BiZQG9FE75GQv6hfrtBEeGV SgWb3fhaltTT4tzEni8g/CMtHISBMk9x/hNqzmzvsB3g/R/0uc/9eJEShRhbpVqEoF6G rmJ6mJRHNVmsdtMyOWA+BXW38Yqp5D/40jUl8o0mw72iAzucn/muqLeatk/bpn9iNhTp mjhA== X-Gm-Message-State: AD7BkJI7/ARev+LVmSLxj5fTvixZJO7JdQqccALZaWdpU/T+jghgIFy5ipU8+1Ck3Lox7StiB6fGAcnqPE7e7A== X-Received: by 10.31.150.76 with SMTP id y73mr2890095vkd.84.1458774412468; Wed, 23 Mar 2016 16:06:52 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.159.40.98 with HTTP; Wed, 23 Mar 2016 16:06:12 -0700 (PDT) In-Reply-To: <56F30047.3090707@gmail.com> References: <56F1A28F.90000@pascal-martin.fr> <56F30047.3090707@gmail.com> Date: Thu, 24 Mar 2016 08:06:12 +0900 X-Google-Sender-Auth: jWqY65cU8LYX1m-1v7uGBmSFGls Message-ID: To: Stanislav Malyshev Cc: Andrey Andreev , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] [RFC][VOTE] Precise session management From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stas, On Thu, Mar 24, 2016 at 5:44 AM, Stanislav Malyshev wrote: >> Offending features may be disabled/changed by INI settings. I think it ok >> to say pretty much no BC issue. > > I think this approach will lead us into problems. "It may be disabled by > INI setting" does not mean the problem does not exist (and btw not > everything that changes can be disabled AFAIR). Most BC breaks have > workarounds, but they still are BC breaks. Moreover, some of the changes > are default changes, which means basically users will have to undo what > this RFC does - if we think they'd have to do it, why change it in the > first place? Right. Not everything cannot be disabled, but it should be matter for applications. Session data is managed more strict manner by timestamping and apps do not have to care about it. It just works more precisely than now. Only concern is test program that inspects session behaviors. New session will not delete session data immediately and contains additional array. Therefore, save handler function execution order changes and test program may detect existence of to be deleted sessions and/or additional array. > > I also feel that sheer size of this RFC, the fact that it tried to fix > many unrelated issues, and amount of changes it brings leads to the > situation where people don't really discuss it properly but instead rely > on claims in the RFC that everything is fine, because it is very hard to > properly consider changes of this size with this many moving parts. At > least the discussion on the list was rather scarce as far as I can see. I'll try to divide into pieces next time. > >> The difference that user/3rd party save handlers will see is an additional >> array in session data. The additional array should not cause any problems >> with session save handlers. > > The change is not limited to additional data. This additional data is > active - it controls how sessions are supposed to behave. All these need > to be updated when something happens, all these need to be checked, > validated and user for various logic on various stages of session > lifetime. So saying "it's just some additional data, nothing of it" is > not true - it's not just data. Maybe everything is still OK with the > session handlers - but this needs to be thoroughly verified, it does not > come for free. As you mentioned, this RFC contains BC. Most important for apps is automatic session ID regeneration. Automatic session ID regeneration is enabled by default, but it can be disabled if apps cannot support this. Another issue is obsolete session data. Currently, it is left for GC or removed immediately. Leaving obsolete session data to GC is not good, but removing it immediately is not good also. We need to change the behavior. The basic logic is used and tested by very large site, so it can be said it's tested and worked. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net