Hi Andi,
On Mon, Nov 4, 2013 at 9:00 AM, Andi Gutmans <[email protected]> wrote:
> On Oct 29, 2013, at 10:14 AM, Christopher Jones <
> [email protected]> wrote:
>
>
> Hi Yasuo,
>
> If parameter omission is an issue, I think you should update the PHP
> function doc ASAP and explain the problem.
>
> Most E_DEPRECATED messages include the word "deprecated". I think
> your message could be:
>
> "Calling session_regenerate_id() without a parameter is
> deprecated. Passing true is encouraged for better security"
>
> Can you review whether "false" should ever be an allowed value?
>
>
> I think we would want to continue to support false (we can check
> code.google.com or something to see how much it’s being used without
> parameters or with false). [I am not online now unfortunately].
>
> Eliminating the default option can absolutely work as it means users need
> to make a conscious decision.
>
I think the option should be kept forever.
I'll add race condition mitigation into session module, but it's a
mitigation, not a solution.
Regards,
--
Yasuo Ohgaki
[email protected]