session_regenerate_id(true) by default

From:	Yasuo Ohgaki	Date:	Tue, 22 Oct 2013 06:53:58 +0000
Subject:	session_regenerate_id(true) by default
Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi all,

Without 'true', session_regenerate_id() will not delete old session data
which may contain sensitive data. It was made to 'false' by default for
users relying on the bug. (PHP 4.x, IIRC)

Almost all users should call session_regenerate_id() with 'true' parameter.
Therefore, I would like to suggest make it 'true' by default from next PHP.

Any comments?

--
Yasuo Ohgaki
[email protected]


   

Thread (20 messages)

• Yasuo OhgakiTue, 22 Oct 2013 06:53:58 +0000
  • Derick RethansTue, 22 Oct 2013 09:12:54 +0000
    • Andrea FauldsTue, 22 Oct 2013 10:00:06 +0000
    • Yasuo OhgakiWed, 23 Oct 2013 01:06:28 +0000
  • Ferenc KovacsTue, 22 Oct 2013 10:48:23 +0000
    • Patrick SchaafTue, 22 Oct 2013 11:10:21 +0000
      • Ferenc KovacsTue, 22 Oct 2013 11:16:56 +0000
        • Patrick SchaafTue, 22 Oct 2013 11:23:02 +0000
          • Ferenc KovacsTue, 22 Oct 2013 11:38:42 +0000
      • Derick RethansTue, 22 Oct 2013 12:22:58 +0000
      • Yasuo OhgakiWed, 23 Oct 2013 00:56:03 +0000
        • Patrick SchaafWed, 23 Oct 2013 07:35:19 +0000
          • Yasuo OhgakiWed, 23 Oct 2013 23:59:06 +0000
    • Rowan CollinsWed, 23 Oct 2013 11:55:13 +0000
      • Yasuo OhgakiThu, 24 Oct 2013 00:05:27 +0000
  • Yasuo OhgakiTue, 29 Oct 2013 10:44:08 +0000Re: session_regenerate_id(true) by default
    • Christopher JonesTue, 29 Oct 2013 17:14:53 +0000Re: Re: session_regenerate_id(true) by default
      • Yasuo OhgakiTue, 29 Oct 2013 19:25:08 +0000
      • Andi GutmansMon, 04 Nov 2013 00:00:09 +0000
        • Yasuo OhgakiMon, 04 Nov 2013 03:32:20 +0000