Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96148
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37748 invoked from network); 26 Sep 2016 06:18:45 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Sep 2016 06:18:45 -0000
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.182 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.182 mail-pf0-f182.google.com  
Received: from [209.85.192.182] ([209.85.192.182:33631] helo=mail-pf0-f182.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 25/AE-11573-4CDB8E75 for <internals@lists.php.net>; Mon, 26 Sep 2016 02:18:44 -0400
Received: by mail-pf0-f182.google.com with SMTP id 21so62192837pfy.0
        for <internals@lists.php.net>; Sun, 25 Sep 2016 23:18:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-transfer-encoding;
        bh=6FPEM0cpNzDBf30nuKvtuzc6R73jYg+qsVFCX5RSIB4=;
        b=qMBi28ubPrSqQQ7lNTxd0iIC0j2ogNImk8V8M24NlH+qdAg/frxU1tzDyBc2PY3rF/
         q4ofrBZtJegde35+p7NQPcoWHYcKWbBBVp63usAtQ97NR67E6L0gJJ1eWX4hce/o/ill
         mDFCyGjcgMqvPJMC+ZXIyhRG6S19YrkatpOoxS4rpUemsWdv6zuRKuaanuFGuraRDjYR
         b9Z52E6ZlOF0uy7WQXb1eGqZcEcfx7jBnhj7lJ5Lgxdmjz8s13mUzAJTacrzbCW46CnA
         xur0CyCSj3OWpBHNx9xB6vuHe0LwI2KLF7NleWVlCq/S6qtk2HYCMWYQfxgU3pNbwa0S
         WpuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=6FPEM0cpNzDBf30nuKvtuzc6R73jYg+qsVFCX5RSIB4=;
        b=bQcyjyfJySSqN4EoeV645FxdAr2bu/x8rh+eSxeYAh26KOvk+0fWBsOoIJzn7yYzIn
         h07qBJ9r0Wk7c+PFK6FumgVW4XH1USSkzJKGM9/Uz2/SLbJIiwa4iaF/3GauRhXHoda3
         XARnQrpuehmgrOh0LX4zQ5CVllwyHmpjNRGKZHOdJ9sbAjPXgQ3Jbnr89Y8XQOyvIJ5U
         l0cPgZl0OTHeJiatWUX5p1v1k4tai/+NHUZytUkX9MdM5tvjaSbdrJGZRSGryaHdEPbj
         12Dz7E44uBqxkgOf7mFGDopkTOpkOomWC8s5eUsVOvjk7RpIsZ8sf4hr42qMcBvKhTGi
         SlOg==
X-Gm-Message-State: AE9vXwOjr+kg6NiJbQJUlRmzkaFh5fX3RsHPz5woajmbNd3u0eIFYvmHS8kIp/OBASBXhQ==
X-Received: by 10.98.95.129 with SMTP id t123mr35174315pfb.148.1474870721284;
        Sun, 25 Sep 2016 23:18:41 -0700 (PDT)
Received: from Stas-Air.local ([198.8.80.37])
        by smtp.gmail.com with ESMTPSA id q2sm27607314pfi.35.2016.09.25.23.18.40
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 25 Sep 2016 23:18:40 -0700 (PDT)
To: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXaX1eZS=_Xg3JjCVZRBSruMy6yUk-PTrKoGOwW5Tg=0_Q@mail.gmail.com>
 <CAGa2bXaApCEziTVDB3PA_MpBJLuYvKHGmiSy8XuuD1uARfYhvA@mail.gmail.com>
Message-ID: <36d925dc-f5a4-b6fb-1060-decf2c7f5271@gmail.com>
Date: Sun, 25 Sep 2016 23:18:39 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXaApCEziTVDB3PA_MpBJLuYvKHGmiSy8XuuD1uARfYhvA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: Fixing halfway implemented session management -
 timestamp based session management OR remove session_regenerate_id()
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> Please read session_regenerate_id() example #2.
> 
> Example #2 Avoiding lost session by session_regenerate_id()

In this example, why you do session_commit() in my_session_start()?
There's no point in writing stale session.

I also see no code that actually removes old sessions - is it by design?

I am also not sure why this code messes with session.use_strict_mode -
which user code is not supposed to do, this should be possible to do
without doing that.

In fact, thinking about it, I think the following can be done relatively
easily: make session_regenerate_id(), if called with false, to put magic
entries into old session that specify a) when it was regenerated and b)
what was the new session ID.

This would allow to implement example #2 in userspace much cleaner, and
if we want to implement it further in session, we could add option to
session_start to do so. But one could also use this data in your own
session system if one wants to do it slightly differently.

This still leaves the question of old sessions, but it's not new as
session_regenerate_id(false) already exists and in general we have GC.

--
Stas Malyshev
smalyshev@gmail.com