Hi all,
On Tue, Oct 22, 2013 at 3:53 PM, Yasuo Ohgaki <[email protected]> wrote:
> Hi all,
>
> Without 'true', session_regenerate_id() will not delete old session data
> which may contain sensitive data. It was made to 'false' by default for
> users relying on the bug. (PHP 4.x, IIRC)
>
> Almost all users should call session_regenerate_id() with 'true'
> parameter. Therefore, I would like to suggest make it 'true' by default
> from next PHP.
>
> Any comments?
>
I've created RFC for this.
https://wiki.php.net/rfc/session_regenerate_id
I think Rowan's proposal is the best, so this RFC proposes to raise
E_DEPRECATED error.
On Wed, Oct 23, 2013 at 8:55 PM, Rowan Collins <[email protected]>
wrote:
> So raise an E_DEPRECATED if you don't pass the parameter, and document
> that passing true will normally be the desired behavior. Then in some
> future major version, remove the default value, making it an E_ERROR or
> whatever to omit it.
If there are any more comment, I'll appreciate it.
Regards,
--
Yasuo Ohgaki
[email protected]