Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:92353
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 96806 invoked from network); 15 Apr 2016 21:16:40 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Apr 2016 21:16:40 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.195 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.220.195 mail-qk0-f195.google.com  
Received: from [209.85.220.195] ([209.85.220.195:34295] helo=mail-qk0-f195.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id AC/4B-29891-73A51175 for <internals@lists.php.net>; Fri, 15 Apr 2016 17:16:39 -0400
Received: by mail-qk0-f195.google.com with SMTP id i7so3511137qkd.1
        for <internals@lists.php.net>; Fri, 15 Apr 2016 14:16:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=R8Bo30bFJhrL4GUrRXsVEByDNYzE6ZtHjPs/CsdM0Gs=;
        b=ZWniV+gGa+QOfXcJbRkdwMuwgfJdNSMaaxJujx0SmpKBMaYXtElGSqGNLZR6cJv4ra
         3W8qMjN+XSkji0vBKXweuVsLriez+m5QW5+yPG+PMS/jJRgvVKGwsaR6pbs8itiO4PP1
         FVzRfUh0CyBse7hj12XoV7tC1nTXbNjYQVD9KojYJU+kzzs0Db4Vrj0rsm0FVRAoQAyT
         CuMxAFqgij9X9+cucgrJPcqVPE59w+SNFHb5T39sjzgC/TK8VcP8gjUdvr8XXwoniNTb
         4ORcEJRnwYyiuji0XeXIicNV269dndfOfTKp69prE58Tc7eGSB6Ez/zBBCvfOH9Od3zT
         wNDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=R8Bo30bFJhrL4GUrRXsVEByDNYzE6ZtHjPs/CsdM0Gs=;
        b=YB5zhAHolSr6w4qYz8c+2B6Wc52pbt2WIOf5HRmd6bk6LOSllGj8iyVIn6daJWEP2T
         ffobY2bmcAqFjv55BMSSb1Mefxm12gzmN7Bb0Nw44yWkLkMA+59xDZ64o6o/rbqIzMLK
         H+BQqwZ+RZ1vxi3ZoHBqiZsmXrArRgDZK753zOi+w7J7OYAtkl3FXuCqUPCbzBBR12df
         bsBaG4siJGuyxs5/EmGh8XYYpbu0BSRdYCC9C0RnBxc232mnA85MUjrFsJYdYqZXBjNI
         KUPIca7tFP1uo12Jthr4CHhuoQ9cExawjnFtIQlxtdAiPpHqZIrPwEfyptcyxhUq1YJj
         HQ0g==
X-Gm-Message-State: AOPr4FWRL/PpzDLibowvTtIbDV0Yx50g1UxMSf7Nrs6LOG4cBaugmCtZ1ormS9NyJF6yooWaDL4Sx8Ugc0qNRA==
X-Received: by 10.55.71.76 with SMTP id u73mr28446030qka.6.1460754996870; Fri,
 15 Apr 2016 14:16:36 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.140.39.175 with HTTP; Fri, 15 Apr 2016 14:15:57 -0700 (PDT)
In-Reply-To: <570D2F74.7060702@gmail.com>
References: <CAGa2bXb-jON8qZyje_ETckyO-KCmcbhTjcJt=NJZ1agAgzqMoQ@mail.gmail.com>
 <CAPhkiZx7zc1=1zyx=vJvZtr7x7OhktDFCHMK4GdOCD_DSqbKCg@mail.gmail.com>
 <CAGa2bXaZnsGnrKAAPmxHG+hut3+1=8bdOER--WrsXXowoiXu=A@mail.gmail.com>
 <CAPhkiZyHruaK9NM4C-4PcQ-2x4QK52Lv+JAyhLHoP=ufcufjWw@mail.gmail.com>
 <CAGa2bXb14ucv2PyHeVHMTcvUrqXD+QehqYHiBZtsqcXW1tgjXA@mail.gmail.com> <570D2F74.7060702@gmail.com>
Date: Sat, 16 Apr 2016 06:15:57 +0900
X-Google-Sender-Auth: _gwveosvuUel5-aoDFYQhXbHz78
Message-ID: <CAGa2bXaysM4jcdOzW9ZXzFD_XOgkxphTH_JC0__HEYTNeCniHw@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Andrey Andreev <narf@devilix.net>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC][Discussion] Add session_gc()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Stas,

On Wed, Apr 13, 2016 at 2:25 AM, Stanislav Malyshev <smalyshev@gmail.com> wrote:
>> Lack of proper API for required task is our problem. Misuse is not ours. IMHO.
>
> No, it is our problem. We can't just create whatever and throw it over
> the fence. The properly designed API has to make correct use very easy
> and incorrect use very hard. That's the point of designing the API, not
> just giving people means to run random pieces of C code from PHP.
>
> With that in mind, the API should be designed so that misuse -
> especially unintentional misuse - is hard. Not impossible - that we
> can't do - but hard. It *is* our responsibility.

I know there are different point views, but I'm against this POV.

There _must_ be API that achieves well defined tasks. There are many APIs
that do not do this, but I don't think this would be an excuse. There are many
examples in security related APIs.

Examples are
 - Database API that lacks basic escape function. Most DB APIs lack
   "identifier" escape API or even "string literal" escape API.
 - XPath 1.0 lacks "string literal" escape API at all.

I guess the API author's intention is "to avoid misuse of escape API".

This approach is proven to create more issues rather than preventing issues.

IMHO, there must be API for well defined/mandatory/recommended tasks.

>
>> The best way to perform GC would be cron task. Low traffic sites can
>> make sure obsolete session is deleted. High traffic site can avoid
>> occasional slow down by GC. I suppose almost all high traffic sites
>> uses memcached or like that does not require PHP's session GC at all,
>> though.
>
> Please be aware that the use case you are currently considering -
> whatever it is, does not matter - is about 0.001% of all use cases, or
> less. Just because PHP runs on millions of sites with wildly different
> requirements. So we should support big sites, small sites, slow sites,
> fast sites, etc.

My proposal is based on previous point of view.

All of PHP users _should_ avoid probability based GC
whenever it is possible. Why we shouldn't have API that kills
custom of probability based usage?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net