Hi Andrey,
On Sun, Jan 25, 2015 at 11:54 AM, Andrey Andreev wrote:
> To prevent session fixation?
>
> Doesn't matter, I was just giving you an example.
>
If app may assume that clients have constant IP, then IP may be used to
prevent
stolen sessions. Unfortunately, we live in mobile world, so t
Hi Andrey,
On Sun, Jan 25, 2015 at 11:53 AM, Andrey Andreev wrote:
> If I understand correctly, you're suggesting the removal of the
> old-style session_set_save_handler() calls where each function is
> passed as a separate argument?
>
> That could be a quite significant BC break.
>
No. Class/I
Hi again,
On Sat, Jan 24, 2015 at 7:48 PM, Yasuo Ohgaki wrote:
> Hi Andrey,
>
> On Sat, Jan 24, 2015 at 6:34 PM, Andrey Andreev wrote:
>>
>> > This is because session module lacks user defined serializer. Save
>> > handler
>> > handles session data storage. Serialize handler handles how data is
Hi,
On Sat, Jan 24, 2015 at 7:05 PM, Yasuo Ohgaki wrote:
> Hi Andrey,
>
> On Sat, Jan 24, 2015 at 6:34 PM, Andrey Andreev wrote:
>>
>> > Let's keep SessionHandler class. However,
>> > PHP_FUNCTION(session_set_save_handler)
>> > should be cleaned up to verify implemented/extended interface/class.
Hi Andrey,
On Sat, Jan 24, 2015 at 6:34 PM, Andrey Andreev wrote:
> > This is because session module lacks user defined serializer. Save
> handler
> > handles session data storage. Serialize handler handles how data is
> > converted/represented. IMHO.
> >
>
> That's not the only use case.
>
> So
Hi Andrey,
On Sat, Jan 24, 2015 at 6:34 PM, Andrey Andreev wrote:
> > Let's keep SessionHandler class. However,
> > PHP_FUNCTION(session_set_save_handler)
> > should be cleaned up to verify implemented/extended interface/class. It's
> > BC.
> > Do you have opinion for this?
>
> php > session_set
Hi,
On Sat, Jan 24, 2015 at 2:24 AM, Yasuo Ohgaki wrote:
> Hi Stas,
>
> On Sat, Jan 24, 2015 at 8:49 AM, Stanislav Malyshev
> wrote:
>
>> > This is the only reasonable use I know. I would to write user
>> > serializer(read/writer)
>> > handler for it.
>>
>> So we went from no reasonable use to
Hi Stas,
On Sat, Jan 24, 2015 at 9:29 AM, Stanislav Malyshev
wrote:
> > Let's keep SessionHandler class. However,
> > PHP_FUNCTION(session_set_save_handler)
> > should be cleaned up to verify implemented/extended interface/class.
> > It's BC.
> > Do you have opinion for this?
>
> I think it woul
Hi!
> Let's keep SessionHandler class. However,
> PHP_FUNCTION(session_set_save_handler)
> should be cleaned up to verify implemented/extended interface/class.
> It's BC.
> Do you have opinion for this?
I think it would be OK to require implementing the interface (and of
course the class should b
Hi Stas,
On Sat, Jan 24, 2015 at 8:49 AM, Stanislav Malyshev
wrote:
> > This is the only reasonable use I know. I would to write user
> > serializer(read/writer)
> > handler for it.
>
> So we went from no reasonable use to one reasonable use, documented at
> the manual. I think it is also reason
Hi!
> This is the only reasonable use I know. I would to write user
> serializer(read/writer)
> handler for it.
So we went from no reasonable use to one reasonable use, documented at
the manual. I think it is also reasonable to suppose there are more uses
for it.
> My point is SessionHandler cla
Hi Stas,
On Fri, Jan 23, 2015 at 3:47 PM, Stanislav Malyshev
wrote:
> > User may extend SessionHandler class like
> >
> > class MySession extends SessionHandler {}
> >
> > but user cannot extend base class(SessionHandler) capability because
> > user script
> > cannot access to PS(mod_data).
>
>
Hi,
I agree that the low-level details of different session handlers makes
the SessionHandler class a bit weird. However, I disagree that it is
useless.
We've discussed this before and I want to re-iterate my suggestion to
simply provide a separate class for each underlying save_handler, like
Fil
Hi!
> User may extend SessionHandler class like
>
> class MySession extends SessionHandler {}
>
> but user cannot extend base class(SessionHandler) capability because
> user script
> cannot access to PS(mod_data).
Not sure what you mean by that. Absence of access to PS(mod_data)
certainly doe
Hi Stas,
On Fri, Jan 23, 2015 at 2:00 PM, Stanislav Malyshev
wrote:
> > User script must have access the struct(PS(mod_data)) to extend base
> class.
>
> Can't I extend the base class and then do something in overriding
> methods and call parent, or override some methods but not others and
> thu
Hi!
> User script must have access the struct(PS(mod_data)) to extend base class.
Can't I extend the base class and then do something in overriding
methods and call parent, or override some methods but not others and
thus have the original methods still work just fine?
> In conclusion, SessionHa
Hi all,
I would like to propose removal of SessionHandler object. PHP7 is perfect
opportunity.
Session module uses "previous save handler" as it's base class of
SessionHandler object.
e.g.
ini_set('session.save_handler','files);
$handler = new SessionHandler; // files save handler functions are u
17 matches
Mail list logo
