Hi! > Oops, sorry. Too many lines to reply, I misread > session_id()/session_create_id() > > session_id() sets session ID. Invalid char that cannot be accepted should be > rejected. Otherwise, user will have lost sessions without errors.
As far as I know, handlers already reject characters that are not OK with them. So what is missing there? > SessionHandler::create_sid() is for creating user own ID. Generating ID with > certain prefix. Not sure what you mean. The code here: https://github.com/php/php-src/blob/master/ext/session/mod_user_class.c#L175 is clearly generating an ID. Is this not secure enough? > Currently, there is no simple way to generate session ID with the form > of session module generates. i.e. hash_bits_per_characters=5/6. There > should be an API for it. Wait, so which ID the SessionHandler::create_sid() generates? Isn't that the same function? Which function you plan to use instead? -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
