Hi Stats, 2011/12/4 Stas Malyshev <smalys...@sugarcrm.com>: > Hi! > > >> For example, it is easy to find cases with google code search, that >> users are setting ID while they really should do is >> session_regenerate_id(). These kind of mistakes would be better to be >> prevented under strict mode, IMHO. > > > I'm not sure how that would help in this case - so the set would be > rejected, then the users will turn the strict mode off to make their code > work and thus lose the protection it provides. How that improves anything? > Setting session ID and protection against adoption are two different things, > why you need to turn off the latter to get the former working?
Since the patch sets INI_ALL for session.use_strict_mode, users may disable strict_mode for specific code. They don't have to disable strict mode for whole application. It's possible allow user defined session id, but as far as I searched on google, users are just misused or abused session_id($newid). Since there are many places that users could shooting their own foot, I don't mind to allow session_id($newid). It's far more important provide protection for decent code. Should I go ahead to change this? Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
