On Mon, Mar 17, 2014 at 12:51 PM, Yasuo Ohgaki <[email protected]> wrote:
> Hi Andrey,
>
> On Mon, Mar 17, 2014 at 7:23 PM, Andrey Andreev <[email protected]> wrote:
>>
>> There's no SessionHandler::create_sid() or
>> SessionHandlerInterface::create_sid() documented (see your own link to
>> the docs) ... since when is this available?
>>
>> I'm not sure if exposing it is a good idea anyway, why is it necessary?
>
>
> This change is not mine. It was added about 10 years ago, IIRC.
And for 10 years is has not been documented? Really, are you sure that
it is exposed to userland at all?
> Having createSid() could be useful. For example, user may have certain
> prefix for session
> IDs. User ID prefix is especially useful to know how many active sessions
> are there.
> (Note: I advise to use MD5('user_id'.'random_secret') for user ID prefixing
> if user_id
> shouldn't be exposed.)
Surely that prefix can just be prepended to the $session_id that gets
passed to read(), write(), destroy() methods. This argument was given
to me when I proposed a session.match_ip feature. Why not add this as
an option to session_start()? Example:
session_start(['id_prefix' => 'foo_']);
(could be an ini setting, for optimization purposes)
> I've added session_create_id(). Therefore, if user start using it, it does
> not hart much.
> If users do not need modified session ID, they may call session_create_id()
> simply.
Again with the "I've added this", that I opposed previously for
session_serializer_name(), session_gc() ... What's session_create_id()
useful for? How would you utilize it?
> The reason why this is added is Stefan Esser's strict session patch had
> this, I guess.
> However, his patch was not fully merged and session remained weak until
> 'use_strice_mode'
> patch.
Now I'm confused ... is it added to the core, or just supported as a
part of the suhosin extension and/or hardening patch?
Cheers,
Andrey.