Session Handler enhancement (create_sid)

13 years ago by Leigh — view source

unread

I would like to propose a new feature to the current custom session
handling; the ability for a user defined function to be used when
generating the session id.

The reasons are as follows:

The Session Handler doesn't know when session_regenerate_id is used. If you
want to set custom session identifiers, you have to use a replacement for
session_regenerate_id. This prevents a session handler being dropped in to
existing code without modification to that code.

The flexibility given to sid generation using session.hash_function and
session.hash_bits_per_character is still quite restrictive. I particularly
dislike the chosen character set for session.hash_bits_per_character = 6,
as the comma will always be urlencoded to %2C prior to being sent as a
cookie.

Existing code caters for a custom sid function (and has done since PHP 4),
but it is not implemented. ps_module_struct already has a placeholder for
s_create_sid, but it is hard-mapped to an internal function. The
modifications required to allow a user function are minimal.

I have created a patch/pull-request: https://github.com/php/php-src/pull/109

Regarding BC, I have implemented it such that supplying individual
callbacks to session_set_save_handler is backwards compatible. The 7th
argument is optional and if no callback is supplied the default is used.

However when calling session_set_save_handler with a SessionHandler object,
BC is broken. It is possible to preserve BC with a few changes but that
means the interface would have to be incomplete. I think it is less evil to
break BC for this relatively new feature (by new feature I mean the
SessionHandler class - not create_sid), than it is to have a built-in class
that doesn't match its associated built-in interface.