Hi Niklas,

On Thu, Oct 20, 2016 at 7:39 PM, Niklas Keller <m...@kelunik.com> wrote:
> 016-10-20 11:57 GMT+02:00 Yasuo Ohgaki <yohg...@ohgaki.net>:
>>
>> Hi Niklas,
>>
>> On Thu, Oct 20, 2016 at 6:01 PM, Niklas Keller <m...@kelunik.com> wrote:
>> >
>> > same here, it's not acceptable to limit header and restrict
>> > `set_cookie`.
>> > Just think about all those frameworks that would have to specialcase
>> > setting
>> > headers now and have to use the cookie API then.
>> >
>> > If you want to protect the session cookie header, why not simply set it
>> > right before the first output? That'd make it also non-overrideable, but
>> > leaves header() intact. But I guess it's harder to implement.
>>
>> Although, I prefer to have completely separate API, we have to
>> implement vote result. So vote no for "Disabling 'Set-Cookie' for
>> header*()" vote option.
>
>
> I don't have a vote. But this breaks BC. It might remove surprisings when
> using sessions, but having header() not being able to set `set-cookie`
> headers adds new surprisings.

That's why we have minor releases and document.

Besides, I noted "add API 7.x, disallow header('Set-Cookie') by 8.0".
There are years to prepare for the change even if we decide to do so.

>
>>
>> Regarding about delaying session cookie header, it is possible to use
>> output buffer to delay output so that session module can send HTTP
>> header at request shutdown. However, it will break almost all session
>> enabled applications that require immediate output. Therefore, it's
>> easy to implement, but not possible for this reason.
>
>
> I meant squeeze in right before output or on first flush() call. There must
> be a thing that sets a "already output" flag that prevents further headers.
> We could use that mechanism to buffer all headers and just send them out
> there and have a hook for the session module.

The reason why I think of this new API proposal is to remove
core(main/SAPI.c) dependency to session. Your idea requires the
dependency (main/SAPI.c) like my the other proposal. Technically, it's
possible and it can be simpler by detecting and preventing session ID
deletion/modification.

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to