On Tue, 22 Oct 2013, Yasuo Ohgaki wrote:
> Hi all,
>
> Without 'true', session_regenerate_id() will not delete old session data
> which may contain sensitive data. It was made to 'false' by default for
> users relying on the bug. (PHP 4.x, IIRC)
>
> Almost all users should call session_regenerate_id() with 'true' parameter.
> Therefore, I would like to suggest make it 'true' by default from next PHP.
>
> Any comments?
You can't just change subtle details like this. Big changes are a lot
easier to manage for users, but changing defaults that have a subtle
impact on already existing code are a bad idea in my book.
cheers,
Derick