Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96144
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17966 invoked from network); 25 Sep 2016 22:51:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Sep 2016 22:51:27 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:47794] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F9/BC-11573-DE458E75 for <internals@lists.php.net>; Sun, 25 Sep 2016 18:51:26 -0400
Received: (qmail 28463 invoked by uid 89); 25 Sep 2016 22:51:21 -0000
Received: from unknown (HELO mail-qk0-f170.google.com) (yohgaki@ohgaki.net@209.85.220.170)
  by 0 with ESMTPA; 25 Sep 2016 22:51:21 -0000
Received: by mail-qk0-f170.google.com with SMTP id n185so149462432qke.1
        for <internals@lists.php.net>; Sun, 25 Sep 2016 15:51:21 -0700 (PDT)
X-Gm-Message-State: AA6/9Rn+3pHU2zPQj6ecxi+vmC9XOAfHb4t+48iYT3zp9MFSAbGt5/Z7WOk44oZdXBtEy1i0P03lvehc/CgVCg==
X-Received: by 10.55.54.15 with SMTP id d15mr18603365qka.262.1474843875540;
 Sun, 25 Sep 2016 15:51:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.84.168 with HTTP; Sun, 25 Sep 2016 15:50:35 -0700 (PDT)
In-Reply-To: <4FE8FD9E-3F86-4DFA-B201-F178F7FA143E@gmail.com>
References: <CAGa2bXaX1eZS=_Xg3JjCVZRBSruMy6yUk-PTrKoGOwW5Tg=0_Q@mail.gmail.com>
 <20160925214039.E4C4E1A84473@dd1730.kasserver.com> <4FE8FD9E-3F86-4DFA-B201-F178F7FA143E@gmail.com>
Date: Mon, 26 Sep 2016 07:50:35 +0900
X-Gmail-Original-Message-ID: <CAGa2bXbEJzO-kSiyhheMp=eVj9KUVRDY+E6gzLUCVvQ=eODZmQ@mail.gmail.com>
Message-ID: <CAGa2bXbEJzO-kSiyhheMp=eVj9KUVRDY+E6gzLUCVvQ=eODZmQ@mail.gmail.com>
To: Paul Jones <pmjones88@gmail.com>
Cc: Thomas Bley <mails@thomasbley.de>, 
	"internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Fixing halfway implemented session management -
 timestamp based session management OR remove session_regenerate_id()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Paul,

On Mon, Sep 26, 2016 at 7:12 AM, Paul Jones <pmjones88@gmail.com> wrote:
>> On Sep 25, 2016, at 16:40, Thomas Bley <mails@thomasbley.de> wrote:
>>
>> why not have a new session module? those who want no change for existing=
 applications keep the old one, new projects can use the new one, those who=
 want more security port their code to the new one. e.g. use session2_start=
(), etc.
>
> If that's going to be the approach (and I find it appealing) then perhaps=
 there should be other things accomplished as part of the new work; e.g., d=
isable the automatic sending of cookie headers and make it explicit. Or wra=
p all the features in objects. (I don't want to volunteer anyone else for m=
ore work, though, and I myself am not competent to implement those ideas.)

Object interface is broken in many ways...
I'll propose new "SessionSaveHandler" interface and new object API to
solve all problems soon.

BTW, having new module and clean things up is an option, but session
module just needs implementations/improvements. Basic module design is
good. IMHO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net