Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96461 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 3051 invoked from network); 19 Oct 2016 04:35:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Oct 2016 04:35:01 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:42868] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5F/D3-12428-3F7F6085 for ; Wed, 19 Oct 2016 00:35:01 -0400 Received: (qmail 117055 invoked by uid 89); 19 Oct 2016 04:34:56 -0000 Received: from unknown (HELO mail-qt0-f181.google.com) (yohgaki@ohgaki.net@209.85.216.181) by 0 with ESMTPA; 19 Oct 2016 04:34:56 -0000 Received: by mail-qt0-f181.google.com with SMTP id q7so8896982qtq.1 for ; Tue, 18 Oct 2016 21:34:56 -0700 (PDT) X-Gm-Message-State: AA6/9Rm428JFAYRBVHAdrdAxkyDhGAwIIn4STKbXrn1sXWI25c6NsZqG0c+1OdVhlGoo9HaKHMyXjlFlpAITSw== X-Received: by 10.200.54.144 with SMTP id a16mr3932892qtc.126.1476851690339; Tue, 18 Oct 2016 21:34:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.22.38 with HTTP; Tue, 18 Oct 2016 21:34:09 -0700 (PDT) In-Reply-To: <1E4CA882-D433-413A-A369-E6340DD0078A@koalephant.com> References: <1E4CA882-D433-413A-A369-E6340DD0078A@koalephant.com> Date: Wed, 19 Oct 2016 13:34:09 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Stephen Reay Cc: "internals@lists.php.net" , Davey Shafik , Xinchen Hui Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Re: header() removes all header of the same name. From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stephen, On Wed, Oct 19, 2016 at 12:18 PM, Stephen Reay w= rote: > I still have an issue with that. I believe the correct behaviour here is = (assuming the `replace` argument to header() is honoured) what you=E2=80=99= re seeing. Yes, it might be *unexpected* for new users, but its also *expec= ted* by millions of current users/projects. > > I would suggest perhaps a warning on the header() docs page, and perhaps = an example to avoid the issue on the Session handling page. > > Leaving it as-is, with improved docs means all functionality is *possible= * with the right arguments. > > Changing to your proposal means advanced use-cases are *impossible* with = any arguments. > > > I realise you=E2=80=99re trying to remove WTF cases, but I don=E2=80=99t = think removing advanced capabilities is the way to do that. Yes. Even framework developer(?) seems to have current behavior. In general, users shouldn't touch session ID. In case of user really want to modify session ID cookie, following could be done. Make header_remove() able to delete 'Set-Cookie' header. (Current behavior) Make header() able to send 'Set-Cookie' header. (Current behavior, but not remove session ID cookie) This allows users to send arbitrary session ID cookie when it is needed really needed, while avoiding accidental session ID cookie removal. What do you think? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net