Hi Grzegorz, On Tue, Dec 22, 2015 at 5:42 PM, Grzegorz Zdanowski <grzegorz...@gmail.com> wrote: >> On 22 Dec 2015, at 06:37, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: >> (…) >> From user point of view, $_SESSION['__SESSION_INTERNAL__'] is a new reserved/ >> restricted session key. >> > > Personally I think it’s a bad way to handle such thing. Adding yet another > „magic“ > keyword/reserved field is going to make current situation worse.
Current situation is bad enough already. I've tried to advocate proper session management including "strict session ID management" for years w/o success. i.e. session.use_strict_mode=1 I think enough time is gone by already. The same argument applies to CSRF protection. I'll add automatic and site wide CSRF protection by using internal session data structure in the future, hopefully for 7.1. > I know users should not use names starting with __, but in reality I see them > almost everyday. I even seen __SESSION_INTERNAL__ used once. Thank you for good feedback. I may use more cryptic name for it. Any suggestions? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
