Re: [PHP-DEV] [RFC] [Discussion] Deprecate GET/POST sessions
On Sat, Mar 2, 2024, at 22:10, Kamil Tekiela wrote: > Hi Internals, > > I would like to start a discussion on a new RFC > https://wiki.php.net/rfc/deprecate-get-post-sessions > > Please let me know whether the idea is clear and the RFC is understandable. > > In particular, I am looking for any feedback as to why this is a bad > idea. The primary motivation behind this RFC is to reduce potential > security pitfalls. > > Regards, > Kamil Tekiela > For what it is worth, I’ve used this with great success on Google’s http-based job system in their cloud. Whether that is a good idea or not, I have no idea. But I suspect I’m not the only one that has relied on this behavior. — Rob
Re: [PHP-DEV] [RFC] [Discussion] Deprecate GET/POST sessions
Hi Anton, > As I know some session-related middlewares force custom-only session_id > handling by setting > >use_cookies = Off >use_only_cookies = On > > and then using session_id(...) directly > > Example: > https://github.com/middlewares/php-session/blob/master/src/PhpSession.php#L137 I was not aware that some frameworks do that. But I don't understand how this works. IMHO if you disable the use of cookies, but you also tell PHP to use only cookies it creates an impossible scenario. Isn't that right? The way I understand it is that there are 2 ways of propagating session ID: cookies and GET/POST. You can tell PHP to use both or either one of them, but not neither. Only cookies: use_only_cookies = On use_cookies = On Only GET/POST: use_only_cookies = Off use_cookies = Off Both: use_only_cookies = Off use_cookies = On The remaining 4th combination should create an impossible scenario. Does it mean to use neither option? I can change the proposal to deprecate only use_only_cookies=Off and session.use_trans_sid=On and leave session.use_cookies alone, but I just can't think of a situation when leaving that setting in PHP would make sense. I am probably missing something very important and I would appreciate it if someone could explain to me what it is. I wouldn't want to deprecate something that is used in popular frameworks.
