Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96141 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11231 invoked from network); 25 Sep 2016 21:40:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 25 Sep 2016 21:40:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=mails@thomasbley.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mails@thomasbley.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain thomasbley.de from 85.13.128.151 cause and error) X-PHP-List-Original-Sender: mails@thomasbley.de X-Host-Fingerprint: 85.13.128.151 dd1730.kasserver.com Received: from [85.13.128.151] ([85.13.128.151:43627] helo=dd1730.kasserver.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 58/AB-11573-A5448E75 for ; Sun, 25 Sep 2016 17:40:43 -0400 Received: from dd1730.kasserver.com (dd0802.kasserver.com [85.13.143.1]) by dd1730.kasserver.com (Postfix) with ESMTPSA id E4C4E1A84473; Sun, 25 Sep 2016 23:40:39 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-SenderIP: 90.186.49.9 User-Agent: ALL-INKL Webmail 2.11 mobile In-Reply-To: References: To: internals@lists.php.net, yohgaki@ohgaki.net Message-ID: <20160925214039.E4C4E1A84473@dd1730.kasserver.com> Date: Sun, 25 Sep 2016 23:40:39 +0200 (CEST) Subject: Re: [PHP-DEV] Fixing halfway implemented session management - timestamp based session management OR remove session_regenerate_id() From: mails@thomasbley.de ("Thomas Bley") why not have a new session module? those who want no change for existing applications keep the old one, new projects can use the new one, those who want more security port their code to the new one. e.g. use session2_start(), etc. Regards Thomas Yasuo Ohgaki wrote on 25. Sept 2016 22:35: > Hi all, > > Timestamp based session management is required to manage session as it > should. I've updated the session manual pages a while a ago to explain > why. > > http://php.net/manual/en/session.security.php > http://php.net/manual/en/function.session-regenerate-id.php > > Although session module has over 10 years of history, session module > lacks basic feature and is not implemented fully yet. As I mentioned > in above manual pages, it does not have _mandatory_ timestamp based > session management. > > I proposed implementation [1], but it was declined even if it is > mandatory for session module to manage session data correctly and > precisely. > > Some may think "timestamp management should be part of user task", but > even simple basic feature like session_regenerate_id() can NOT work as > it supposed without timestamp based management. (Other mandatory tasks > have problems also, but I ignore them for now) > > There is userland workaround as described. User can implement their > own session_regenerate_id() as described in the manual page. > > Since session management is very important feature for web apps, we > shouldn't keep providing halfway implemented API forever. > Implementation or removal is required. > > I would like to propose either > > timestamp based (precise) session management again. > OR > session_regenerate_id() deprecation now and removal in future version. > > Any comments? > > Regards, > > [1] https://wiki.php.net/rfc/precise_session_management > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >