Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96511
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44905 invoked from network); 20 Oct 2016 09:58:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Oct 2016 09:58:31 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:46115] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 38/B3-24564-44598085 for <internals@lists.php.net>; Thu, 20 Oct 2016 05:58:30 -0400
Received: (qmail 2242 invoked by uid 89); 20 Oct 2016 09:58:25 -0000
Received: from unknown (HELO mail-qk0-f170.google.com) (yohgaki@ohgaki.net@209.85.220.170)
  by 0 with ESMTPA; 20 Oct 2016 09:58:25 -0000
Received: by mail-qk0-f170.google.com with SMTP id f128so80255751qkb.1
        for <internals@lists.php.net>; Thu, 20 Oct 2016 02:58:22 -0700 (PDT)
X-Gm-Message-State: ABUngvc7MbOBDCw9fb8I5qP1ImXktapPMpO0c/r+bCQiWPHP4w/p+lL59aaBb397axz4qBTSeRjeYc8eBs5Vdw==
X-Received: by 10.55.215.87 with SMTP id m84mr11741705qki.196.1476957496689;
 Thu, 20 Oct 2016 02:58:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.22.38 with HTTP; Thu, 20 Oct 2016 02:57:36 -0700 (PDT)
In-Reply-To: <CANUQDCg6FAiOFpyoaq2EyPjxrLGN+4XzXdf7fX66yVbAR9Q2EA@mail.gmail.com>
References: <CAGa2bXb0CKP6=eZZk2atR5XGtR8JmQ3FG756wn0J7kkPGYFyZg@mail.gmail.com>
 <1eab7492-596c-ffd2-81ed-0eb9256a033e@gmail.com> <CAGa2bXY5u_VgJnoOq06dGj4uS2uVDwCC4qm358tJHEq+gfHVuw@mail.gmail.com>
 <0B722A15-A29F-498B-987F-F6BA5AA49EEF@bobs-bits.com> <CAGa2bXZq6uydypJNGw3n7wJ3VRCS0o3c2L_FABYJZ-B1x4naGg@mail.gmail.com>
 <59D6B40B-DC64-43A3-AED4-CD5C9C15B6BA@koalephant.com> <CAGa2bXbVMvkUsHvsjJ7YVO6pY84rV1RTcG0PzusdK8a+ff9C0g@mail.gmail.com>
 <CANUQDCg6FAiOFpyoaq2EyPjxrLGN+4XzXdf7fX66yVbAR9Q2EA@mail.gmail.com>
Date: Thu, 20 Oct 2016 18:57:36 +0900
X-Gmail-Original-Message-ID: <CAGa2bXZrO2SiqPV6wDb=3+9XGdNHFUSPL5Qoh4yR-_Hq62GyVw@mail.gmail.com>
Message-ID: <CAGa2bXZrO2SiqPV6wDb=3+9XGdNHFUSPL5Qoh4yR-_Hq62GyVw@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: Stephen Reay <php-lists@koalephant.com>, Stanislav Malyshev <smalyshev@gmail.com>, 
	"internals@lists.php.net" <internals@lists.php.net>, Davey Shafik <davey@php.net>, Xinchen Hui <laruence@php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] header() removes all header of the same name.
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Niklas,

On Thu, Oct 20, 2016 at 6:01 PM, Niklas Keller <me@kelunik.com> wrote:
>
> same here, it's not acceptable to limit header and restrict `set_cookie`.
> Just think about all those frameworks that would have to specialcase setting
> headers now and have to use the cookie API then.
>
> If you want to protect the session cookie header, why not simply set it
> right before the first output? That'd make it also non-overrideable, but
> leaves header() intact. But I guess it's harder to implement.

Although, I prefer to have completely separate API, we have to
implement vote result. So vote no for "Disabling 'Set-Cookie' for
header*()" vote option.

Regarding about delaying session cookie header, it is possible to use
output buffer to delay output so that session module can send HTTP
header at request shutdown. However, it will break almost all session
enabled applications that require immediate output. Therefore, it's
easy to implement, but not possible for this reason.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net