[PHP-DEV] [RFC Discussion] Precise session management

2016-02-13 Thread Yasuo Ohgaki
Hi all, It's been long time since the first proposal. Since session module is important module for Web apps, I would like to hear opinions for this RFC once again before vote. RFC https://wiki.php.net/rfc/precise_session_management PR https://github.com/php/php-src/pull/1734 Thank you. -- Yasu

Re: [PHP-DEV] [RFC Discussion] Precise Session Management

2015-12-22 Thread Yasuo Ohgaki
Hi all, On Tue, Dec 22, 2015 at 6:22 PM, Yasuo Ohgaki wrote: > >> I know users should not use names starting with __, but in reality I see them >> almost everyday. I even seen __SESSION_INTERNAL__ used once. > > Thank you for good feedback. > I may use more cryptic name for it. > Any suggestions?

Re: [PHP-DEV] [RFC Discussion] Precise Session Management

2015-12-22 Thread Yasuo Ohgaki
Hi Grzegorz, On Tue, Dec 22, 2015 at 5:42 PM, Grzegorz Zdanowski wrote: >> On 22 Dec 2015, at 06:37, Yasuo Ohgaki wrote: >> (…) >> From user point of view, $_SESSION['__SESSION_INTERNAL__'] is a new reserved/ >> restricted session key. >> > > Personally I think it’s a bad way to handle such thin

Re: [PHP-DEV] [RFC Discussion] Precise Session Management

2015-12-22 Thread Yasuo Ohgaki
Hi Stas, On Tue, Dec 22, 2015 at 3:22 PM, Stanislav Malyshev wrote: > Hi! > >> I would like to restart better session management for PHP 7.1. >> >> https://wiki.php.net/rfc/precise_session_management > > I've read the RFC and I have some questions and comments: > > 1. I do not see why old session

Re: [PHP-DEV] [RFC Discussion] Precise Session Management

2015-12-22 Thread Grzegorz Zdanowski
> On 22 Dec 2015, at 06:37, Yasuo Ohgaki wrote: > (…) > From user point of view, $_SESSION['__SESSION_INTERNAL__'] is a new reserved/ > restricted session key. > Personally I think it’s a bad way to handle such thing. Adding yet another „magic“ keyword/reserved field is going to make current

Re: [PHP-DEV] [RFC Discussion] Precise Session Management

2015-12-21 Thread Stanislav Malyshev
Hi! > I would like to restart better session management for PHP 7.1. > > https://wiki.php.net/rfc/precise_session_management I've read the RFC and I have some questions and comments: 1. I do not see why old session being active is a problem when you regenerate. You write "Attacker may abuse sto

[PHP-DEV] [RFC Discussion] Precise Session Management

2015-12-18 Thread Yasuo Ohgaki
Hi all, I would like to restart better session management for PHP 7.1. https://wiki.php.net/rfc/precise_session_management Although this RFC targets PHP 7.1, new session management could be applied to older releases also if majority of us agree. Please comment. Regards, -- Yasuo Ohgaki yohg...