Hi!
Hi all,
I though I've better to start new thread, since I changed the status
to "Under Discussion".
This is RFC for making PHP session strict.
https://wiki.php.net/rfc/strict_sessions
I'll implement DoS protection later, since current patch pretty well
tested and suitable for PHP 5.4/5.3, too.
I've checked out the RFC and the patch, and I have couple of notes:
1. Why we need separate validate call in the API? Can't we just do the
checks in open/read?
2. Very restrictive limits on session key values don't look useful for
me - I know some custom solutions use characters beyond alphanumerics in
session IDs. Of course it can be worked around with encoding, etc. - but
what does it add?
3. Why replacing php_session_create_id with custom functions doing the
same in each standard module?
4. I'm not feeling very comfortable getting such a big change (API
change, logic change, etc.) with unknown effects this late in 5.4. I'd
much better prefer doing it in 5.4.1 but API change doesn't really allow
that either.
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
