FAQ
Hi,
On May 10, 2016 10:25 AM, "Yasuo Ohgaki" wrote:

Hi all,

It's not nice to work on the same code (i.e. session module) for
multiple RFCs, but time is limited.

I would like to hear from ideas/comments before I write patch for this.
https://wiki.php.net/rfc/automatic_csrf_protection

Thank you for your comments.
I will try to explain a bit my view on all the current efforts (welcome) to
secure session managements and related areas.

For the last one, I do not think php should take of it. If we still want to
do it, I won't do it all using what it is proposed. It should provide APIs,
easy to use and being used on demand (think of the password APIs for csrf
protection). INI settings are unflexible, hard to custom or fix later. The
pléthore of packages (and some very good ones like in slim fe) lead the
way.

This RFC also makes many assumptions about erroneous common cases as many
other said in this thread.

About all other RFCs to secure or improve sessions. My feeling is simple:

The current session code and designs is old, very old. It does not match
today ways to do things. Every time we fix it, I see a band aid fix.

In other words, rewrite the damned thing. Make clear, simple APIs, enable
secure behavior by default and limit the ini options to the very strict
minimum.

We all already used custom extensions for management anyway (serialization,
different backends, etc). It may not help shared hosting but these are kind
of hopeless in many regards.
Regards,

P.S. Precise session ID management is important, but this one is also
important. I'll finish and start voting 2 active session RFCs soon. I
may finish all of them hopefully.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 26 of 65 | next ›
Discussion Overview
groupphp-internals @
categoriesphp
postedMay 10, '16 at 3:25a
activeMay 12, '16 at 11:30a
posts65
users12
websitephp.net

People

Translate

site design / logo © 2019 Grokbase