> > > > This is added because when session cannot be started, then it should > fail. > > This fix is related to https://bugs.php.net/bug.php?id=71243 > > The php_session_abort() is not directly related to this bug, but this > (and > > other fixes) is added because session_start() returns TRUE even when it > fails/ > > should fail. > > > > Note: PHP 5.6's session_start() return value fix is not perfect to keep > > save handler compatibility which is a big one. PHP7 should return FALSE > > for session_start() failures always by the fix. > > > > Fixing the broken test should be just removing the php_session_abort() > from > > php_session_cache_limiter(). > > Fixing broken tests most likely mean BC will remain which is not so good. > you probably meant BC *break* will remain which I agree that isn't good.
> I understand the overall goal to improve session security but this is an > area that has behaved this way for years. I am totally convinced that such > big changes should have (or should) in stable branches, be 7.0 or 5.6. > Especially because testing these changes take time. > I have to look through the changes and the original bugreport which warranted this change but my gut feeling is that this shouldn't be changed in a micro version and Yasuo even changed/fixed a handful of tests together of the code changes, so the potential impact could be even bigger than what Remi spotted with their CI pipeline.
