Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96146
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34124 invoked from network); 26 Sep 2016 05:59:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Sep 2016 05:59:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:48342] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3E/ED-11573-B49B8E75 for <internals@lists.php.net>; Mon, 26 Sep 2016 01:59:41 -0400
Received: (qmail 48601 invoked by uid 89); 26 Sep 2016 05:59:36 -0000
Received: from unknown (HELO mail-qk0-f180.google.com) (yohgaki@ohgaki.net@209.85.220.180)
  by 0 with ESMTPA; 26 Sep 2016 05:59:36 -0000
Received: by mail-qk0-f180.google.com with SMTP id t7so154323664qkh.2
        for <internals@lists.php.net>; Sun, 25 Sep 2016 22:59:36 -0700 (PDT)
X-Gm-Message-State: AA6/9RnNyCGvmHM04qkmaCDHIDKs1/2JDo4R1aMq2L5nrw8624FaSxgchE/2uNayhoUEa9voxjE9TlGZXTertg==
X-Received: by 10.55.145.197 with SMTP id t188mr20026695qkd.233.1474869570554;
 Sun, 25 Sep 2016 22:59:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.84.168 with HTTP; Sun, 25 Sep 2016 22:58:50 -0700 (PDT)
In-Reply-To: <CAGa2bXaX1eZS=_Xg3JjCVZRBSruMy6yUk-PTrKoGOwW5Tg=0_Q@mail.gmail.com>
References: <CAGa2bXaX1eZS=_Xg3JjCVZRBSruMy6yUk-PTrKoGOwW5Tg=0_Q@mail.gmail.com>
Date: Mon, 26 Sep 2016 14:58:50 +0900
X-Gmail-Original-Message-ID: <CAGa2bXaApCEziTVDB3PA_MpBJLuYvKHGmiSy8XuuD1uARfYhvA@mail.gmail.com>
Message-ID: <CAGa2bXaApCEziTVDB3PA_MpBJLuYvKHGmiSy8XuuD1uARfYhvA@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: Fixing halfway implemented session management - timestamp based
 session management OR remove session_regenerate_id()
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

On Mon, Sep 26, 2016 at 5:35 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> Since session management is very important feature for web apps, we
> shouldn't keep providing halfway implemented API forever.
> Implementation or removal is required.
>
> I would like to propose either
>
>   timestamp based (precise) session management again.
> OR
>   session_regenerate_id() deprecation now and removal in future version.
>
> Any comments?

For those who are too busy to read whole
http://php.net/manual/en/session.security.php
http://php.net/manual/en/function.session-regenerate-id.php

(Although, I suggest read them at least once)
Please read session_regenerate_id() example #2.

Example #2 Avoiding lost session by session_regenerate_id()

Ideally, user must have something like this example code for session
ID regeneration. However, the example does not (cannot) use
session_regenerate_id() to manage session. session_regenerate_id()
feature is halfway implemented and cannot do the job as it should.
This is the reason why I suggesting either timestamp implementation or
session_regenerate_id() deprecation.

I'm looking forward comments especially from vote no for "Precise
Session Management"[1]

Regards,


[1] https://wiki.php.net/rfc/precise_session_management

--
Yasuo Ohgaki
yohgaki@ohgaki.net