Re: session_regenerate_id(true) by default

From: Date: Tue, 22 Oct 2013 10:48:23 +0000
Subject: Re: session_regenerate_id(true) by default
References: 1  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
On Tue, Oct 22, 2013 at 8:53 AM, Yasuo Ohgaki <[email protected]> wrote:

> Hi all,
>
> Without 'true', session_regenerate_id() will not delete old session data
> which may contain sensitive data. It was made to 'false' by default for
> users relying on the bug. (PHP 4.x, IIRC)
>
> Almost all users should call session_regenerate_id() with 'true' parameter.
> Therefore, I would like to suggest make it 'true' by default from next PHP.
>
> Any comments?
>
> --
> Yasuo Ohgaki
> [email protected]
>


We could we add an E_DEPRECATED for the session_regenerate_id(false) usage
for 5.6 instead.

-- 
Ferenc Kovács
@Tyr43l - http://tyrael.hu

Thread (20 messages)

« previous php.internals (#69756) next »