Hi all, Timestamp based session management is required to manage session as it should. I've updated the session manual pages a while a ago to explain why.
http://php.net/manual/en/session.security.php http://php.net/manual/en/function.session-regenerate-id.php Although session module has over 10 years of history, session module lacks basic feature and is not implemented fully yet. As I mentioned in above manual pages, it does not have _mandatory_ timestamp based session management. I proposed implementation [1], but it was declined even if it is mandatory for session module to manage session data correctly and precisely. Some may think "timestamp management should be part of user task", but even simple basic feature like session_regenerate_id() can NOT work as it supposed without timestamp based management. (Other mandatory tasks have problems also, but I ignore them for now) There is userland workaround as described. User can implement their own session_regenerate_id() as described in the manual page. Since session management is very important feature for web apps, we shouldn't keep providing halfway implemented API forever. Implementation or removal is required. I would like to propose either timestamp based (precise) session management again. OR session_regenerate_id() deprecation now and removal in future version. Any comments? Regards, [1] https://wiki.php.net/rfc/precise_session_management -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
