Hi! > Since this RFC is about preciseness of session management, I would like to > change session_id() validates against default allowed chars as follows. > (As well as enabling already written session_create_id() function) > This patch is against the PR.
I would strongly advise not to add more things into this RFC (see my other email). If you want to change which chars are allowed in session ID, fine, but let's discuss it in separate topic. However, I would proceed *very* carefully here, as there are apps that produce their own session IDs, and breaking them does not help anybody. About, since session_id() is a user function, what do we gain by limiting what it does? For session_create_id(), don't we already have SessionHandler::create_sid()? -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
