Hi Andrey,
On Thu, Mar 20, 2014 at 12:22 AM, Andrey Andreev <[email protected]> wrote:
> On Wed, Mar 19, 2014 at 12:12 PM, Ferenc Kovacs <[email protected]> wrote:
> >> If you choose "security" bug type, it's hidden.
> >
> >
> > nope, security bug type only makes it send the bug mail to
> [email protected],
> > only private bugs are protected from public access.
> > that is something really error-prone, so I remember some discussion about
> > changing that, and making new security bugs to be private by default, but
> > AFAIK we never implemented that.
>
> Actually, somebody did implement it.
> Turned out the issue I wanted to report is solved though ... it was
> the regression with use_strict_mode in 5.5.3 and for some unknown
> reason, Ubuntu is sticking exactly to that version.
>
> On topic: I understand the gains, Yasuo.
> But I completely disagree that it's mandatory or that it is PHP's job
> at all. If I tell PHP to delete something, I expect it to do so,
> immediately.
https://wiki.php.net/rfc/session_regenerate_id
If you read my RFC, you'll see anyone can do that with
session_start(['regenerate_id_expire'=>0']);
or
ini_set('session.regenerate_id_expire', 0);
Regards,
--
Yasuo Ohgaki
[email protected]