On May 10, 2016 10:25 AM, "Yasuo Ohgaki" wrote:

Hi all,

It's not nice to work on the same code (i.e. session module) for
multiple RFCs, but time is limited.

I would like to hear from ideas/comments before I write patch for this.

Thank you for your comments.
I will try to explain a bit my view on all the current efforts (welcome) to
secure session managements and related areas.

For the last one, I do not think php should take of it. If we still want to
do it, I won't do it all using what it is proposed. It should provide APIs,
easy to use and being used on demand (think of the password APIs for csrf
protection). INI settings are unflexible, hard to custom or fix later. The
pléthore of packages (and some very good ones like in slim fe) lead the

This RFC also makes many assumptions about erroneous common cases as many
other said in this thread.

About all other RFCs to secure or improve sessions. My feeling is simple:

The current session code and designs is old, very old. It does not match
today ways to do things. Every time we fix it, I see a band aid fix.

In other words, rewrite the damned thing. Make clear, simple APIs, enable
secure behavior by default and limit the ini options to the very strict

We all already used custom extensions for management anyway (serialization,
different backends, etc). It may not help shared hosting but these are kind
of hopeless in many regards.

P.S. Precise session ID management is important, but this one is also
important. I'll finish and start voting 2 active session RFCs soon. I
may finish all of them hopefully.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 26 of 65 | next ›
Discussion Overview
groupphp-internals @
postedMay 10, '16 at 3:25a
activeMay 12, '16 at 11:30a



site design / logo © 2019 Grokbase