Hi,
> I think most PHP users are using session module as complete tool for their
> web applications.
> They rely on it for proper session management even if the manual explains
> HTTP session
> management cannot be trusted.
You can't fix people's perceptions, and as Mateusz previously noted -
you're trying to fix a problem that appears in an upper layer, that
just isn't possible.
> Since HTTP session management cannot be trusted, ID regeneration is
> required to mitigate
> risks. However, current session_regenerate_id() behavior can be called
> optimum hardly.
> It does not make sure obsolete session is deleted nor does not raise alarm
> for possible
> abuse. When it deletes old session, it is unreliable.
>
> ...
>
> Leaving active session behind is unacceptable risk to me.
> I fail to understand why some of us do not see the risk of current HTTP
> session
> management and/or it should be part of user code.
You keep repeating this argument that deleting the old session is
unreliable, not secure, unacceptable. That is simply not true.
Yes, it's a good practice to try to detect attacks and log them, etc.,
but it's not mandatory, not doing it is not insecure, not a risk, and
it is up to the application developer to decide whether or not to do
it and/or how to do it. There's no silver bullet for this.
> How about serializer wrapper?
It's a different approach, but otherwise the same thing.
Cheers,
Andrey.