why not have a new session module? those who want no change for existing applications keep the old one, new projects can use the new one, those who want more security port their code to the new one. e.g. use session2_start(), etc.
Regards Thomas Yasuo Ohgaki wrote on 25. Sept 2016 22:35: > Hi all, > > Timestamp based session management is required to manage session as it > should. I've updated the session manual pages a while a ago to explain > why. > > http://php.net/manual/en/session.security.php > http://php.net/manual/en/function.session-regenerate-id.php > > Although session module has over 10 years of history, session module > lacks basic feature and is not implemented fully yet. As I mentioned > in above manual pages, it does not have _mandatory_ timestamp based > session management. > > I proposed implementation [1], but it was declined even if it is > mandatory for session module to manage session data correctly and > precisely. > > Some may think "timestamp management should be part of user task", but > even simple basic feature like session_regenerate_id() can NOT work as > it supposed without timestamp based management. (Other mandatory tasks > have problems also, but I ignore them for now) > > There is userland workaround as described. User can implement their > own session_regenerate_id() as described in the manual page. > > Since session management is very important feature for web apps, we > shouldn't keep providing halfway implemented API forever. > Implementation or removal is required. > > I would like to propose either > > timestamp based (precise) session management again. > OR > session_regenerate_id() deprecation now and removal in future version. > > Any comments? > > Regards, > > [1] https://wiki.php.net/rfc/precise_session_management > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
