Re: [VOTE] RFC: Introduce session_start() options - read_only, unsafe_lock, lazy_write and lazy_destroy

From: Date: Sun, 16 Mar 2014 06:11:45 +0000
Subject: Re: [VOTE] RFC: Introduce session_start() options - read_only, unsafe_lock, lazy_write and lazy_destroy
References: 1 2 3  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
Hi all,

On Fri, Mar 7, 2014 at 5:34 AM, Yasuo Ohgaki <[email protected]> wrote:

> Hi Peter,
>
> On Mon, Mar 3, 2014 at 7:56 PM, Peter Cowburn <[email protected]>wrote:
>
>> Is this vote still in-progress? The RFC page says yes, but the closing
>> date has long-since passed.
>
>
> Thank you for reminding.
> Proposal 1 is passed 9 vs 1.
> Proposal 2 and 3 is declined 1 vs 7 and 1 vs 6.
>
> Lazy deletion is design bug fix. This issue cannot be solved without
> delayed deletion due to technical reason of current web technology. This
> also involves session security. Current implementation allows attackers to
> exploit stolen session as long as they want also.
> I'll come back on this issue later.
>
> Thank you for voting all!
>
>
Modified patch for this RFC is here

https://github.com/yohgaki/php-src/compare/PHP-5.6-rfc-session-lock

There may be leftover still. I'll check it again later, but it's
appreciated if you find any.

Someone asked if I'm going to allow to change all of session INIs by
session_start(),
I think it's good to have.

I would like to implement this as hash of INI options and handlers like

  "option_name" => function_of_INI_modify_handler;

This way, I can iterate parameter array easily/efficiently, can change INI
values
easily/efficiently and raise appropriate errors.

Any comments for this?

Regards,

--
Yasuo Ohgaki
[email protected]


Thread (13 messages)

« previous php.internals (#73191) next »