Re: session_regenerate_id(true) by default

From: Date: Wed, 23 Oct 2013 11:55:13 +0000
Subject: Re: session_regenerate_id(true) by default
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 
Ferenc Kovacs wrote (on 22/10/2013):

On Tue, Oct 22, 2013 at 8:53 AM, Yasuo Ohgaki <[email protected]> wrote:


Hi all,

Without 'true', session_regenerate_id() will not delete old session data
which may contain sensitive data. It was made to 'false' by default for
users relying on the bug. (PHP 4.x, IIRC)

Almost all users should call session_regenerate_id() with 'true' parameter.
Therefore, I would like to suggest make it 'true' by default from next PHP.

Any comments?

--
Yasuo Ohgaki
[email protected]



We could we add an E_DEPRECATED for the session_regenerate_id(false) usage
for 5.6 instead.



Presumably what we want to deprecate is not the *ability* to pass false, but the *default* of false.

So raise an E_DEPRECATED if you don't pass the parameter, and document that passing true will normally be the desired behaviour. Then in some future major version, remove the default value, making it an E_ERROR or whatever to omit it.

-- 
Rowan Collins
[IMSoP]

Thread (20 messages)

« previous php.internals (#69801) next »