Sascha Schumann wrote:
>>Should php create the session id, or should the session handler?
>
>
> PHP should. Here is something to think about.
>
A few examples the reason why creating session ID on save handlers.
If PHP have full control of session ID generation, we cannot do
- Invalidate session ID. 2 IP address is used for the same session
ID since a user have mailed URI includes session ID. Session
module cannot detect. (Not 100%, but better than nothing)
- Collision cannot be detected. There is no way for session
module to detect collision. Session storage can detect, since
it knows all session IDs used/active.
We know session ID is almost always OK with current way. However,
some people want/need stronger session ID and session ID protection.
Session module cannot do that, therefore, I think it's nice to have.
Benefits are greater than disadvantages in this case. Obviously,
it's more appealling if we could say, 'Collision cannot happen'
than 'Callision can happen, but it's very unlikely, so it should be
Ok'.
There are other ways to do the same thing. Someone might have
better idea, but I think this is one of the best way.
--
Yasuo Ohgaki
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
