On May 11, 2016 11:46 AM, "Yasuo Ohgaki" <yohg...@ohgaki.net> wrote:
> Thank you for your comments. I've updated the RFC. You might like this version. > I still think we should not have that in core. If we do, it should be controlled by the application implementation and not ini settings (some routes may have it, other not, some route may have different ttl etc). I am not even sure it should be part of the session module. Sessions are per definiton easy. Implement them correctly (whatever that means) is hard. Adding csrf to ext/session feels like adding auth methods as well. Both csrf ans auth may need sessions but they are not part of the session features. Cheers, Pierre
