> Should php create the session id, or should the session handler?
PHP should. Here is something to think about.
It is hard to generate hard to guess session ids. PHP has
various internal entropy sources and can read from system
provided entropy sources as well. That gives PHP users an
adequate level of pseudo-random session ids.
If storage handlers would generate their own session ids,
they would have to reimplement all of the above. Because
that it is an uneasy task, many (most) storage handlers will
get it wrong. And which project is the most likely to be
blamed for that? PHP, because it would give too much control
to storage handlers.
Currently, session ids have a defined format which our users
rely on. If storage handlers control the format, they might
choose to change it for some odd reason. Thus our users'
deployed applications might break out of the blue.
Up to now, noone has claimed that the session module ever
produced collisions among session ids. If the opposite can
be shown, I'd favor fixing session id generation in one
place, instead of the X storage handlers in the wild.
- Sascha Experience IRCG
http://schumann.cx/ http://schumann.cx/ircg
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
