Hi Dominic, On Sun, Jan 21, 2018 at 11:10 AM, Dominic Guhl <dominic.g...@posteo.de> wrote:
> The PHP documentation on Session Data Deletion: > > > Obsolete session data must be inaccessible and deleted. Current > session module does not handle this well. > Session managers must remove obsolete sessions for security reasons. PHP session module does not handle this well. There was RFC. https://wiki.php.net/rfc/precise_session_management I think those who opposed this RFC does not understand security implications/risks w/o this proposal. This can be done by user code as well. Some of people insisted this kind of feature should be implemented in frameworks even though no frameworks did not implemented it. It's been 5 years since the RFC is created. All of PHP frameworks and apps should have implemented proper session management by now. If not, we are better to implement it in the session module. IMO. Current OWASP session management cheat sheet https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_Expiration defines idle/absolute/renewal timeouts. PHP cannot handle any of them properly. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
