Hi Niklas, On Thu, Oct 20, 2016 at 6:01 PM, Niklas Keller <m...@kelunik.com> wrote: > > same here, it's not acceptable to limit header and restrict `set_cookie`. > Just think about all those frameworks that would have to specialcase setting > headers now and have to use the cookie API then. > > If you want to protect the session cookie header, why not simply set it > right before the first output? That'd make it also non-overrideable, but > leaves header() intact. But I guess it's harder to implement.
Although, I prefer to have completely separate API, we have to implement vote result. So vote no for "Disabling 'Set-Cookie' for header*()" vote option. Regarding about delaying session cookie header, it is possible to use output buffer to delay output so that session module can send HTTP header at request shutdown. However, it will break almost all session enabled applications that require immediate output. Therefore, it's easy to implement, but not possible for this reason. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
