Steve Meyers wrote: > I think you're missing something here, Yasuo. Hans is talking about > unregistering a single session variable, not the entire session array. > He's talking about unset($_SESSION['varname']), not unset($_SESSION). >
Thanks for point it out and sorry for sloppy reading ;) I'm relatively new PHP user (about 2 years) and never enable register global, since there is obvious security risk with register_globals=On. I was considering to change session module to look up both PS(vars) and PS(http_session_vars) when PG(register_globals) is true and save session only when session var is defined for both PS(http_session_vars) and PS(vars). (BTW, there are problem for $HTTP_SESSION_VARS/$_SESSION handling even when register_globals=Off. Session vars can be read only, etc :(. I would like to fix this problem, then fix issues about register_globals. However, before I start working for that, I would like to commit bug fixes/changes that I proposed first.) I was planning to make this change for 4.2.0, but 4.2.0 branch will be created in a few days (3/6 IIRC). I have thing to do on this weekend, so I cannot crate patch for 4.2.0. If branching is delayed few weeks, I might be able to create patch. When register globals is On, user need to call session_unregister() to get rid of global var from session var hash. (Or unset($some_var) and $_SESSION['some_var'] would work). I strongly recommend to set register_globals=Off... -- Yasuo Ohgaki -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
