Send a blank email to [email protected] to get a copy of this message
HI all,
I think most of concerns for session_regenerate_id() is discussed.
I would like to finish this RFC.
Following RFC was made to change session_regenerate_id(TRUE) by default.
I was initially tried to remove old session data immediately with this RFC,
but
it turned out we should care about reliability more in real world
environment.
Secure session_regenerate_id()
https://wiki.php.net/rfc/session_regenerate_id
The time stamp could be outside of of $_SESSION. It requires BC
modification in
serializer and/or save handler. It would be complex and possibly slower
depend
on implementation.
I hope it's precise enough and easy to understand idea behind it.
If you have suggestions, it would be appreciated.
Names can be anything, especially.
If I'm missing something, please let me know.
Regards,
--
Yasuo Ohgaki
[email protected]