Re: session_regenerate_id(true) by default
On Oct 29, 2013, at 10:14 AM, Christopher Jones <[email protected]> wrote:
>
> Hi Yasuo,
>
> If parameter omission is an issue, I think you should update the PHP
> function doc ASAP and explain the problem.
>
> Most E_DEPRECATED messages include the word "deprecated". I think
> your message could be:
>
> "Calling session_regenerate_id() without a parameter is
> deprecated. Passing true is encouraged for better security"
>
> Can you review whether "false" should ever be an allowed value?
I think we would want to continue to support false (we can check code.google.com or something to see
how much it’s being used without parameters or with false). [I am not online now unfortunately].
Eliminating the default option can absolutely work as it means users need to make a conscious
decision.
Andi
Thread (20 messages)