Re: session_regenerate_id(true) by default
On Tue, Oct 22, 2013 at 1:10 PM, Patrick Schaaf <[email protected]> wrote:
>
> Am 22.10.2013 12:48 schrieb "Ferenc Kovacs" <[email protected]>:
>
> > We could we add an E_DEPRECATED for the session_regenerate_id(false)
> usage
> > for 5.6 instead.
>
> I might find that useful for the session_regenerate_id() case, i.e. when
> using the default, but IMHO there are perfectly valid reasons to keep the
> previous session active in a controlled way.
>
> Working on the issue for our own application, I'm in the process of
> teaching our session wrapping class to regenerate ID often - but when doing
> so, first setting up the previous session ID with two pieces of
> information: a short timeout of 20 seconds or something like that, and a
> "forwarding ID" which references the new session ID.
>
> I want to do this because I want to regenerate IDs often (also based on a
> rather short timeout), and I'm concerned about parallel in-flight requests
> - a high probability reality with ajax getting more and more traction -
> still presenting the old session ID a second or two after a request
> determined to regenerate.
>
> BTW and a bit off-topic: is there a good reason for session_write_close
> not returning a success indicator? Right now it spams the log with a
> misleading message, but gives me no chance (short of setting up a global
> error handler to catch and handle that message) to see (and maybe retry /
> use a fallback) on failure
>
> best regards
> Patrick
>
you could do @session_write_close() and error_get_last() instead of the
global handler, but I think that it is a good idea and would be a trivial
and backward compatible change.
--
Ferenc Kovács
@Tyr43l - http://tyrael.hu
Thread (20 messages)