Re: [PHP-DEV] [PATCH] Modifications for ext/session/

[Daniel J Cain Jr.]

Sascha Schumann wrote:
    They are not helpful for various reasons.  e.g. if you need
    to ask whether a session was started, your architecture is
    broken (a central place needs to manage sessions; that single
    place must know whether a session has been started).
Generally speaking I agree with what your saying about needing to know 
if a session has been started or not.  But I also believe it has its 
place for some user land custom session handlers.  Being able to throw 
an exception in a session object's __construct() or __wakeup() for 
various reasons can present a situation that is easily solved inside 
__construct() by:

if(session_has_started()) {         // Added function via patch
    session_regenerate_id($newID);  // Added $newID via the patch
    $_SESSION = array();
} else {
    session_id($newID);
    session_start();
}
Say there is an authentication token in the session, the session needs 
to be started so we can access the token.  If the token proves to be 
invalid, we need to create a blank session with a new session ID.

    Also, the concept of session_id_exists is fundamentally
    broken (think of atomic file creation).  That is why there is
    no such function.
I disagree.  If a provided session ID via $_REQUEST(for arguments sake)
is found not to exist by using the theoretical session_id_exists().
That would mean the script was given an ID that wasn't created by PHP,
and the script logic could act accordingly.  What am I overlooking?
    Regarding providing an id to session_regenerate_id: I have
    seen too many supposedly save session id generators that I
    would be in favor of adding that kind of overwriting power.
I agree that PHP should be left to create a unique ID.  But the
functionality currently exists for the user to set their own ID with
session_id($newID).  The user has this ability before a session is
started.  But loses the ability when trying to use
session_regenerate_id() in a similar fashion after the session has
started.  It seems like a contradiction to allow it in one case and not
the other.
I could try and grok the source to figure it out myself, but someone 
here might know off the top of their head.  Is calling something like 
md5(uniqid(rand(), TRUE)) better, worse, or equivalent to how PHP 
creates a unique session ID?

--
D  a  n  i  e  l     J     C  a  i  n     J  r .
                         Zend Certified Engineer
http://zend.com/zce.php?c=ZEND001685&r=210869656
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php