Session Handler enhancement (create_sid) I would like to propose a new feature to the current custom session handling; the ability for a user defined function to be used when generating the session id.
The reasons are as follows: The Session Handler doesn't know when session_regenerate_id is used. If you want to set custom session identifiers, you have to use a replacement for session_regenerate_id. This prevents a session handler being dropped in to existing code without modification to that code. The flexibility given to sid generation using session.hash_function and session.hash_bits_per_character is still quite restrictive. I particularly dislike the chosen character set for session.hash_bits_per_character = 6, as the comma will always be urlencoded to %2C prior to being sent as a cookie. Existing code caters for a custom sid function (and has done since PHP 4), but it is not implemented. ps_module_struct already has a placeholder for s_create_sid, but it is hard-mapped to an internal function. The modifications required to allow a user function are minimal. I have created a patch/pull-request: https://github.com/php/php-src/pull/109 Regarding BC, I have implemented it such that supplying individual callbacks to session_set_save_handler is backwards compatible. The 7th argument is optional and if no callback is supplied the default is used. However when calling session_set_save_handler with a SessionHandler object, BC is broken. It is possible to preserve BC with a few changes but that means the interface would have to be incomplete. I think it is less evil to break BC for this relatively new feature (by new feature I mean the SessionHandler class - not create_sid), than it is to have a built-in class that doesn't match its associated built-in interface.
