Hi all, On Mon, Sep 26, 2016 at 5:35 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Since session management is very important feature for web apps, we > shouldn't keep providing halfway implemented API forever. > Implementation or removal is required. > > I would like to propose either > > timestamp based (precise) session management again. > OR > session_regenerate_id() deprecation now and removal in future version. > > Any comments?
For those who are too busy to read whole http://php.net/manual/en/session.security.php http://php.net/manual/en/function.session-regenerate-id.php (Although, I suggest read them at least once) Please read session_regenerate_id() example #2. Example #2 Avoiding lost session by session_regenerate_id() Ideally, user must have something like this example code for session ID regeneration. However, the example does not (cannot) use session_regenerate_id() to manage session. session_regenerate_id() feature is halfway implemented and cannot do the job as it should. This is the reason why I suggesting either timestamp implementation or session_regenerate_id() deprecation. I'm looking forward comments especially from vote no for "Precise Session Management"[1] Regards, [1] https://wiki.php.net/rfc/precise_session_management -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
