Hi Andrey,
On Mon, Mar 17, 2014 at 7:23 PM, Andrey Andreev <[email protected]> wrote:
> There's no SessionHandler::create_sid() or
> SessionHandlerInterface::create_sid() documented (see your own link to
> the docs) ... since when is this available?
>
> I'm not sure if exposing it is a good idea anyway, why is it necessary?
>
This change is not mine. It was added about 10 years ago, IIRC.
Having createSid() could be useful. For example, user may have certain
prefix for session
IDs. User ID prefix is especially useful to know how many active sessions
are there.
(Note: I advise to use MD5('user_id'.'random_secret') for user ID prefixing
if user_id
shouldn't be exposed.)
I've added session_create_id(). Therefore, if user start using it, it does
not hart much.
If users do not need modified session ID, they may call session_create_id()
simply.
The reason why this is added is Stefan Esser's strict session patch had
this, I guess.
However, his patch was not fully merged and session remained weak until
'use_strice_mode'
patch.
Regards,
--
Yasuo Ohgaki
[email protected]