Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:91972
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55079 invoked from network); 28 Mar 2016 00:09:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 28 Mar 2016 00:09:04 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.173 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.173 mail-pf0-f173.google.com  
Received: from [209.85.192.173] ([209.85.192.173:34747] helo=mail-pf0-f173.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 0E/68-03797-F1678F65 for <internals@lists.php.net>; Sun, 27 Mar 2016 19:09:03 -0500
Received: by mail-pf0-f173.google.com with SMTP id x3so123991347pfb.1
        for <internals@lists.php.net>; Sun, 27 Mar 2016 17:09:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:cc:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding;
        bh=5EH8v/SHUAmDBlnJs/tsT7JeND3zPt3lopELzDq5UDo=;
        b=UOOxEUWwFiTGAGf1CLotEkbxwAL/p6EYVd7dUCQ/B6Z23t/PAuPlPT8vpmmSJn19GU
         nFyvcueGppew5UjUuDx36+xDXzhBedGeBiNF0wKQyv++qdpqMJolSdf8hRUaQq5Qn6a+
         HY9TqqEuNzm+iyyOUliZEa7sv/rBEGQXuROU5PV+RY09Js/LK0t3kmLZOPLgIoAz/WDT
         kFxZHSVt2SAGq/5tu/i6Xd8gXHvhalYV9kSPvVi6voA5EuB15xlcX+68TpXMseTR4tja
         kgWNeoKv2UbOa3ejkhk1zKUsHStIpxmtKBCwi2vtlZsTFQwT5IUOhOi5vCWeYWAqwwB/
         MxlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:cc:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=5EH8v/SHUAmDBlnJs/tsT7JeND3zPt3lopELzDq5UDo=;
        b=EqBwJ1qA2oDHqYBWBsprUzEwBEzJU4aomnKWaPUW50g5JHJadxjQ0FbYjAy00dQ2ki
         cD6Chdf1Yp0tadSh6L5hMAWy5TDwfcGrhbdULMc3E9tCLA1RUVBUnTVzwsfgCWKO8LNV
         0Zz6CeVx6A8Q+zNiJVB73bDVqDnjkSSBRc4t6kyPu/tnLvtfP7GZ6g47iprKCjwYE914
         HO1mU1mKpvIrepKSR1lUCshkCUwFcAmopPeAWItEew/lgTF2rHQ+tOt/OnqkW77cbyJn
         JRVXJeHt6j7bdV5KvCt/do5YujafulebP0RThS/iZbHB88v5r7arR7h9gY67MckuZgfN
         I9jg==
X-Gm-Message-State: AD7BkJLmsJK8QWgO8cplCsvm/O6DAXs8Wlj7vclew95K/E+quI5komnOLf53j6x4VgXljQ==
X-Received: by 10.98.14.68 with SMTP id w65mr38452613pfi.144.1459123739950;
        Sun, 27 Mar 2016 17:08:59 -0700 (PDT)
Received: from Stas-Air.local ([2602:304:cdc2:e5f0:61ee:fac8:4b2a:544d])
        by smtp.gmail.com with ESMTPSA id 22sm30796168pfh.48.2016.03.27.17.08.58
        (version=TLSv1/SSLv3 cipher=OTHER);
        Sun, 27 Mar 2016 17:08:58 -0700 (PDT)
To: Chris Riley <t.carnage@gmail.com>, Scott Arciszewski <scott@paragonie.com>
References: <CAGa2bXauwspEZ4HYSHgVOyd+VEvKxoymWYFPG6NaOdCa+APfKQ@mail.gmail.com>
 <CABHuAWzwxRQxohRca8MvChs4ZdHNk-xc9P5HW93dzkq1TRztoQ@mail.gmail.com>
 <CAKws9z1ihtDyyDQORzs_gJVcOA7Z=A5QzgBf6w1UoP3pd2Ab6A@mail.gmail.com>
 <CABHuAWzaDhP2YN+Gik0vwWmaa9b7m9xjUrNejhLSvosBiv_0CA@mail.gmail.com>
Cc: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <56F87611.6040602@gmail.com>
Date: Sun, 27 Mar 2016 17:08:49 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0)
 Gecko/20100101 Thunderbird/38.7.1
MIME-Version: 1.0
In-Reply-To: <CABHuAWzaDhP2YN+Gik0vwWmaa9b7m9xjUrNejhLSvosBiv_0CA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC][Discussion] Precise session data management
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

>> Could we also add HTTPS detection and enable the secure flag by default
>> when a session is established on an HTTPS endpoint?

You can not see if your connection would be HTTPS or not - connection
can be terminated on frontend services (like nginx or varnish) that
handle https and the pass the actual work to backend like fpm or apache
or whatever it is. In this situation, you may have no information about
if the connection to the client is HTTPS or not.

And in general, AFAIK there is no standard protocol to establishing this
kind of info. There are all kinds of ways people do it, but each of them
is peculiar for specific setup.

I also think it is a mistake to have default behavior controlled by
external factors beyond server admin's control. Server behavior should
be predictable. The admin should set it up properly, if the admin is not
knowledgeable enough to set it up, I don't think we can improve it by
introducing variable defaults into the mix.
-- 
Stas Malyshev
smalyshev@gmail.com