Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96139
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6539 invoked from network); 25 Sep 2016 20:36:38 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Sep 2016 20:36:38 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:47609] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 44/EA-11573-35538E75 for <internals@lists.php.net>; Sun, 25 Sep 2016 16:36:36 -0400
Received: (qmail 22027 invoked by uid 89); 25 Sep 2016 20:36:32 -0000
Received: from unknown (HELO mail-qk0-f180.google.com) (yohgaki@ohgaki.net@209.85.220.180)
  by 0 with ESMTPA; 25 Sep 2016 20:36:32 -0000
Received: by mail-qk0-f180.google.com with SMTP id g67so87743944qkd.0
        for <internals@lists.php.net>; Sun, 25 Sep 2016 13:36:32 -0700 (PDT)
X-Gm-Message-State: AA6/9RmqnwUrpSB1sowiBlZiry4IgOJEmIdRdflPnToD58ZBoI+vYM4sTI3q3a5d82rKuyRbjmw4um06Ydq2Zw==
X-Received: by 10.55.121.67 with SMTP id u64mr20528630qkc.114.1474835786046;
 Sun, 25 Sep 2016 13:36:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.84.168 with HTTP; Sun, 25 Sep 2016 13:35:45 -0700 (PDT)
Date: Mon, 26 Sep 2016 05:35:45 +0900
X-Gmail-Original-Message-ID: <CAGa2bXaX1eZS=_Xg3JjCVZRBSruMy6yUk-PTrKoGOwW5Tg=0_Q@mail.gmail.com>
Message-ID: <CAGa2bXaX1eZS=_Xg3JjCVZRBSruMy6yUk-PTrKoGOwW5Tg=0_Q@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Fixing halfway implemented session management - timestamp based
 session management OR remove session_regenerate_id()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

Timestamp based session management is required to manage session as it
should. I've updated the session manual pages a while a ago to explain
why.

http://php.net/manual/en/session.security.php
http://php.net/manual/en/function.session-regenerate-id.php

Although session module has over 10 years of history, session module
lacks basic feature and is not implemented fully yet. As I mentioned
in above manual pages, it does not have _mandatory_ timestamp based
session management.

I proposed implementation [1], but it was declined even if it is
mandatory for session module to manage session data correctly and
precisely.

Some may think "timestamp management should be part of user task", but
even simple basic feature like session_regenerate_id() can NOT work as
it supposed without timestamp based management. (Other mandatory tasks
have problems also, but I ignore them for now)

There is userland workaround as described. User can implement their
own session_regenerate_id() as described in the manual page.

Since session management is very important feature for web apps, we
shouldn't keep providing halfway implemented API forever.
Implementation or removal is required.

I would like to propose either

  timestamp based (precise) session management again.
OR
  session_regenerate_id() deprecation now and removal in future version.

Any comments?

Regards,

[1] https://wiki.php.net/rfc/precise_session_management

--
Yasuo Ohgaki
yohgaki@ohgaki.net