Re: Re: session_regenerate_id(true) by default

From: Date: Tue, 29 Oct 2013 17:14:53 +0000
Subject: Re: Re: session_regenerate_id(true) by default
References: 1 2  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message 


On 10/29/2013 03:44 AM, Yasuo Ohgaki wrote:

Hi all,

On Tue, Oct 22, 2013 at 3:53 PM, Yasuo Ohgaki <[email protected]> wrote:


Hi all,

Without 'true', session_regenerate_id() will not delete old session data
which may contain sensitive data. It was made to 'false' by default for
users relying on the bug. (PHP 4.x, IIRC)

Almost all users should call session_regenerate_id() with 'true'
parameter. Therefore, I would like to suggest make it 'true' by default
from next PHP.

Any comments?



I've created RFC for this.

https://wiki.php.net/rfc/session_regenerate_id


Hi Yasuo,

If parameter omission is an issue, I think you should update the PHP
function doc ASAP and explain the problem.

Most E_DEPRECATED messages include the word "deprecated".  I think
your message could be:

  "Calling session_regenerate_id() without a parameter is
   deprecated. Passing true is encouraged for better security"

Can you review whether "false" should ever be an allowed value?

The PHP doc could be improved to explain why someone might use true or
false.

FWIW, the message line in the RFC patch got truncated.

Chris
-- 
[email protected]  http://twitter.com/ghrd
Free PHP & Oracle book:
http://www.oracle.com/technetwork/topics/php/underground-php-oracle-manual-098250.html

Thread (20 messages)

« previous php.internals (#69943) next »