Re: session_regenerate_id(true) by default
Am 22.10.2013 12:48 schrieb "Ferenc Kovacs" <[email protected]>:
> We could we add an E_DEPRECATED for the session_regenerate_id(false) usage
> for 5.6 instead.
I might find that useful for the session_regenerate_id() case, i.e. when
using the default, but IMHO there are perfectly valid reasons to keep the
previous session active in a controlled way.
Working on the issue for our own application, I'm in the process of
teaching our session wrapping class to regenerate ID often - but when doing
so, first setting up the previous session ID with two pieces of
information: a short timeout of 20 seconds or something like that, and a
"forwarding ID" which references the new session ID.
I want to do this because I want to regenerate IDs often (also based on a
rather short timeout), and I'm concerned about parallel in-flight requests
- a high probability reality with ajax getting more and more traction -
still presenting the old session ID a second or two after a request
determined to regenerate.
BTW and a bit off-topic: is there a good reason for session_write_close not
returning a success indicator? Right now it spams the log with a misleading
message, but gives me no chance (short of setting up a global error handler
to catch and handle that message) to see (and maybe retry / use a fallback)
on failure
best regards
Patrick
Thread (20 messages)