Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:93260
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22773 invoked from network); 12 May 2016 03:20:01 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 May 2016 03:20:01 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.172 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.220.172 mail-qk0-f172.google.com  
Received: from [209.85.220.172] ([209.85.220.172:35744] helo=mail-qk0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 73/D6-28272-066F3375 for <internals@lists.php.net>; Wed, 11 May 2016 23:20:01 -0400
Received: by mail-qk0-f172.google.com with SMTP id n62so32637167qkc.2
        for <internals@lists.php.net>; Wed, 11 May 2016 20:20:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=IyL3OlzOq6AXfWC+uFqcLEK7XURhe6NGdHP0qhCFRAg=;
        b=vp1L1qjHa9Nz23gNZc2r+QJuegV47yElk/NjZnUaJWHGuQGg2MX4NpGZblL7whDQyz
         gGV78IiBAchBHOjbguG0cgHwjLJ7Q0dx9AcLaXMTVeQLCXjP98zVCd5WYrI3fWOb5WzU
         Fa4X/u+iTT3Epkr7Q3bW2DF+tPLPU637EQDh3p9TjDWd9tprE3thynm6Kzw9tQnz2Bos
         FxL00usq/AKMf7dcqKzRrEloG+BrjACX/AQelOC1T2sgcNR7Gz05tdAXWU1/YaCulALN
         t4wzfQXMSaA8C6AlTD0S4H4htPwbvBNOs65sMfZiJAKqzl05QcokYKrgfrL4YiCH+Q2i
         91rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=IyL3OlzOq6AXfWC+uFqcLEK7XURhe6NGdHP0qhCFRAg=;
        b=XWntVlpXnI+sCC1i1eFvYQjQI0Ia1rGb0OR4Frb1yElD1VVUuB/rQNrdbE/BvEgLN3
         ypJL4u5QK6dlF54ULuOrUfKSaxWUwhuAGY+0tcO0uqGtr/me9RS4ZFpA3ySNMN0BSEVc
         ZJIXUsWMyX7Y+/KSCgVxlJAa4QWqvvHOMcLD7l1oxs/DhG4JqiygIE+CrKPUfIv0T0rN
         aUW+FTHcLhlFKpZ42NLV1ke1Th+zBVYcckj2/+dAboS7v0MuhKk/rXzdEAGAqxEI1LJO
         KaAMYTCqPVyXk5I07a5mQrJQbcr2k2XjJ1Wd92HNhJVdpZPNu6jEbMGUE3eZAAcRXK2j
         c9sg==
X-Gm-Message-State: AOPr4FV+kM4JTd/9U/CxdbQ/KTyoCWPAqMpkqWmSmjxUF7C9cHLxrAmj8+Y9fPMPM0zgjCJvH9+rOqHnWify9Q==
X-Received: by 10.55.74.141 with SMTP id x135mr7764482qka.20.1463023198379;
 Wed, 11 May 2016 20:19:58 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.140.27.133 with HTTP; Wed, 11 May 2016 20:19:18 -0700 (PDT)
In-Reply-To: <CAEZPtU7SW+yDmv_uNr_YB3MeVq_saiySaDZpF2jTOQqBzbw9Mg@mail.gmail.com>
References: <CAGa2bXZytbD1H-Rg5eWfiPwEM0p47JSQH-GC-ZayDSLbmbsGVA@mail.gmail.com>
 <c21d1d4b-a790-e1a9-7c93-2c5af4baf5d1@gmail.com> <CAGa2bXboop3KDFnYtcdO-K+hL0To5te_yeHeFEFO-kCVuzNOJQ@mail.gmail.com>
 <3b115b37-d399-0b69-24b4-de5c95c4a069@gmail.com> <CAGa2bXZwRK0GuXbT53B4w+h5ySiVJnJpo-d87Uiw-reYHi80zQ@mail.gmail.com>
 <CANUQDChxOeydBRLPrvuumf+edqJNKV+TOstGz66X_tg+Y7knPQ@mail.gmail.com>
 <CAGa2bXZC8Qp8-Ggyfj5+0X5aiktSX_AyfRdKAPXFZ=x4+A1XDQ@mail.gmail.com>
 <CANUQDCgi-P4=rWA5H+53_BcWyqeWaC_QOADUNMb_jV70KuhEPw@mail.gmail.com>
 <CAL0xaBFTF28h7ZTCkk=gn2=kepv0xe_Gk0+zjhmZzDmLJYU3-w@mail.gmail.com>
 <CAGa2bXbX_YhpJEr+9XjTb3xxgb2KTw=LEjC97A0vM4_WNiSvnA@mail.gmail.com>
 <CAL0xaBF8e7PhY_hqNYwNvxwRiha1=rUtLBfugUNC2FGf2FndzA@mail.gmail.com>
 <CAGa2bXa8B+4vuOiWNSt79gcSvyr2aAKv_VEbigiKTVsuaZT89g@mail.gmail.com> <CAEZPtU7SW+yDmv_uNr_YB3MeVq_saiySaDZpF2jTOQqBzbw9Mg@mail.gmail.com>
Date: Thu, 12 May 2016 12:19:18 +0900
X-Google-Sender-Auth: BjUJi6WG9VMY8XeG6znjbbBz9ZI
Message-ID: <CAGa2bXbwJHRES6Bf+u07pO2e9WS6C+sTwjoY9p8kWAUntSLbCQ@mail.gmail.com>
To: Pierre Joye <pierre.php@gmail.com>
Cc: Arvids Godjuks <arvids.godjuks@gmail.com>, Niklas Keller <me@kelunik.com>, 
	Stanislav Malyshev <smalyshev@gmail.com>, "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] [RFC DRAFT] Automatic CSRF Protection
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Pierre,

On Thu, May 12, 2016 at 10:53 AM, Pierre Joye <pierre.php@gmail.com> wrote:
> My answer is clearly no. We must rather simplified improved the
> session implementations and APIs, focusing purely on its core
> purposes, managing session data storage and provides interfaces&APIs
> to match application needs. We do not do that very well anymore.

We did not do very well for a long time, indeed.

Session manager must not accept uninitialized session ID. It's obvious
mandatory requirement for decent session manager, but it took me many
years to add it and it's not enabled by default yet. I think a decade
has passed since strict session was proposed.

Another mandatory feature that time stamp based session data
management is taking years and I'm not sure if I can add this for PHP
7.1.

Even simple mandatory API for house keeping task like session_gc() is
taking many years to be implemented.

It could be an option that abandon session module and let users to
implement decent session manager because we are taking too long time
even for mandatory things even if there are implementations. It is
simply taking too long time to fix them. I'm half joking, but half
serious :)

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net