Hi Lester, On Thu, May 12, 2016 at 6:27 PM, Lester Caine <les...@lsces.co.uk> wrote: > On 12/05/16 04:19, Yasuo Ohgaki wrote: >> It could be an option that abandon session module and let users to >> implement decent session manager because we are taking too long time >> even for mandatory things even if there are implementations. It is >> simply taking too long time to fix them. I'm half joking, but half >> serious :) > > Yasuo ... THIS is the situation with a number of elements of PHP, and I > DO understand where you are coming from. PHP is nicely modular and so > creating a complete module ... well documented ... clean API ... makes > perfect sense. Getting acceptance may be a different matter, such as > switching from mysql to mysqli, but it does provide a document-able > upgrade path for the problem in hand. > > I'm the first to admit I rely on the simple options so still use > anonymous session for the majority of users simply because they are > never going to log in, while I conciser and authenticated user as a > different animal so needs a different type of security. That is the main > reason I posted the 'off topic' bits earlier in this thread. It IS a > matter of what is the ideal set-up for the vast majority of PHP users > who can justify laying out lots of money for the best chargeable > security, and there is now at least a path that can be documented to > help them which includes https, sessions and authentication?
I was half serious and willing to maintain/improve session module, security related area especially. Anyway, session module should be like RDBMS, not NoSQL. I don't want to care about locks, race conditions, synchronization, vulnerabilities, etc. It should just work out of the box with reasonable default behavior. IMO. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
