rfc:deprecate-get-post-sessions

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
rfc:deprecate-get-post-sessions [2024/03/02 21:06] – created dharmanrfc:deprecate-get-post-sessions [2024/08/25 12:18] (current) – the RFC has been implemented cmb
Line 1: Line 1:
 ====== PHP RFC: Deprecate GET/POST sessions ====== ====== PHP RFC: Deprecate GET/POST sessions ======
  
-  * Version: 0.1+  * Version: 0.2
   * Date: 2024-03-03   * Date: 2024-03-03
   * Authors: Kamil Tekiela <dharman@php.net>   * Authors: Kamil Tekiela <dharman@php.net>
-  * Status: Discussion+  * Status: Implemented
   * Target Version: PHP 8.4   * Target Version: PHP 8.4
   * Implementation: https://github.com/php/php-src/pull/13578   * Implementation: https://github.com/php/php-src/pull/13578
Line 24: Line 24:
 Setups that use default settings, such as the following, will NOT trigger a deprecation warning: Setups that use default settings, such as the following, will NOT trigger a deprecation warning:
  
- 
-  session.use_cookies=On 
   session.use_only_cookies=On   session.use_only_cookies=On
   session.use_trans_sid=Off   session.use_trans_sid=Off
Line 32: Line 30:
 Installations that have either of these switches in a different position will generate a deprecation warning: Installations that have either of these switches in a different position will generate a deprecation warning:
  
-  session.use_cookies=Off ; Will generate a deprecation warning 
   session.use_only_cookies=Off ; Will generate a deprecation warning   session.use_only_cookies=Off ; Will generate a deprecation warning
   session.use_trans_sid=On ; Will generate a deprecation warning   session.use_trans_sid=On ; Will generate a deprecation warning
  
 +Changing any of the following settings will be deprecated:
  
-The goal is to remove these features completely in PHP 9.0The above INI entries will be removed, as well as additional entries called <php>session.trans_sid_tags</php><php>session.trans_sid_hosts</php> and <php>session.referer_check</php>. The constant <php>SID</php> will also be removed.+  * <php>session.use_only_cookies</php> 
 +  * <php>session.use_trans_sid</php> 
 +  * <php>session.trans_sid_tags</php> 
 +  * <php>session.trans_sid_hosts</php> 
 +  * <php>session.referer_check</php> 
 + 
 +Setting any of these options through <php>session_start()</php> to their non-default value will also be deprecated 
 + 
 +The constant <php>SID</php> will also be deprecated as part of this RFC. The standalone proposal to deprecate this constant has also been made in [[deprecations_php_8_4|Deprecations for PHP 8.4]] RFC. 
 + 
 +The goal is to remove these features completely in PHP 9.0. The above-listed INI entries and the constant <php>SID</php> will be removed
 + 
 + 
 +===== session.use_cookies = Off ===== 
 + 
 +I can't confirm whether it was intentional to allow the usage of cookie sessions without sending the cookie, but people have used this trick to adhere to strict PSR-7 standard. As explained by [[https://paul-m-jones.com/post/2016/04/12/psr-7-and-session-cookies/|Paul M. Jones in his blog]] disabling <php>session.use_cookies</php> instructs PHP not to send the session ID in the cookie upon session start. The responsibility of sending the cookie with the session ID falls on the developer who can do it at their most convenient time. For this reason, this INI setting will remain unaffected
  
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
-Apart from generating a deprecation notice, no other immediate backward incompatible changes are foreseen. However, once these settings get removed in the next major PHP version, using any of the INI settings will become impossible. +Apart from generating a deprecation notice, no other immediate backward incompatible changes are foreseen. However, once these settings get removed in the next major PHP version, using any of these INI settings will become impossible.  
 + 
 +Using automatic transformation of URLs will become impossible out of the box starting with PHP 9.0. To keep using this feature, PHP users will have to implement it in userland. While PHP will not read the session token from GET/POST parameters automatically anymore, it will still be possible to start a session with an ID received in such a way by manually setting it via <php>session_id()</php> 
 + 
 +===== Unaffected Functionality ===== 
 + 
 +Function <php>output_add_rewrite_var()</php> will remain unaffected. Only the automatic rewriting of URLs to add PHPSESSID will be deprecated
  
-Using automatic transformation of URLs will not be possible out of the box. To keep using this feature, PHP users will have to implement it in userland. While PHP will not read the session token from GET/POST parameters automatically anymore, it will remain possible to start a session with an ID received in such a way by manually setting it via <php>session_id()</php>+The hack which allows for manual control of the session cookie using the INI setting <php>session.use_cookies</php> will remain possible. 
  
 ===== Version ===== ===== Version =====
Line 55: Line 74:
 As per the voting RFC a yes/no vote with a 2/3 majority is needed for this proposal to be accepted. As per the voting RFC a yes/no vote with a 2/3 majority is needed for this proposal to be accepted.
  
-Voting started on and will end on _.+Voting started on 2024-04-09 and will end on 2024-04-23.
    
 <doodle title="Accept Deprecate GET/POST session identifiers" auth="dharman" voteType="single" closed="true"> <doodle title="Accept Deprecate GET/POST session identifiers" auth="dharman" voteType="single" closed="true">
Line 62: Line 81:
 </doodle> </doodle>
  
 +===== Implementation =====
  
 +  - merged into ''master'' (will become PHP-8.4)
 +  - merged as [[https://github.com/php/php-src/commit/c5bce0d8a2e6794cd6809e4047dd1f488fa3459b]]
 +  - documentation update pending
  
rfc/deprecate-get-post-sessions.1709413561.txt.gz · Last modified: 2024/03/02 21:06 by dharman

Page Tools