Differences

This shows you the differences between two versions of the page.

--- rfc:session-lock-ini [2014/02/02 02:06]
yohgaki
+++ rfc:session-lock-ini [2017/09/22 13:28] (current)
@@ Line 1: / Line 1: @@
-====== PHP RFC: Introduce session options - read_only, unsafe_lock, lazy_write and lazy_destroy ======
+====== PHP RFC: Introduce session_start() options - read_only, unsafe_lock, lazy_write and lazy_destroy ======
   * Version: 1.6
   * Date: 2014-02-02
   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net
-  * Status: Under Discussion
+  * Status: Passed Proposal 1. 2 and 3 declined.
   * First Published at: http://wiki.php.net/rfc/session-lock-ini
@@ Line 52: / Line 52: @@
        　　　　　　　　　Close (Session data unchanged)
-**Usage Tip for unsafe_lock=On: ** Update $_SESSION only when update is strictly needed. For example, change $_SESSION only when authentication/authorization information has changed.
+**Usage Tip for unsafe_lock=On: ** Update $_SESSION only when update is strictly needed. For example, change $_SESSION only when authentication/authorization information has changed. Alternatively, user may start all session with read_only=TRUE and reopen session with read/write only when authentication/authorization information has to be changed.
@@ Line 62: / Line 62: @@
   * Script B accessed to server with old session ID
-Current session module(session_destroy()/session_regenerate_id()) simply deletes session data with $delete_old_session=true. When $delete_old_session=false(default), session_regenerate_id() simply creates new session ID and leave old session ID/data.
+Current session module(session_destroy()/session_regenerate_id()) simply deletes session data with $delete_old_session=true. When $delete_old_session=false(default), session_regenerate_id() simply creates new session ID and leaves old session ID/data.
 Even when old session ID is destroyed, script B can access server with old session ID. Without session.strict_mode=On, session module may reinitialize session data with old ID which may be known to attackers.
@@ Line 94: / Line 94: @@
-===== Proposal 2 - lazy_wirte =====
+===== Proposal 2 - lazy_write =====
 Introduce lazy_write option to session_start() that enable/disable lazy session data writing.
@@ Line 279: / Line 279: @@
 **Cons**
   - Misuse of this feature could be a cause of bugs.
+  - Open all session with read_only=TRUE and reopen session for writing as it is needed, would be safer for average users. (We may better to promote this usage pattern)
 **4) lazy_destroy** that allows delayed session data deletion for concurrent accesses and reliable session_regenerate_id() operation.
@@ Line 298: / Line 299: @@
 ===== Benchmark =====
+Note: read_only=on will yield better result than this.
 == lazy_write: on, unsafe_lock: on ==
@@ Line 314: / Line 317: @@
 Please vote feature by feature.
-The voting period is 2014/02/03 until 2014/02/10.
+The voting period is 2014/02/12 until 2014/02/19.
 ,2) Introduce read_only, lazy_write to session_start() option.
@@ Line 322: / Line 325: @@
 </doodle>
-) Introduce unsafe_lock option.
+) Introduce unsafe_lock option to session_start() option.
 <doodle title="Unsafe lock option" auth="user" voteType="single" closed="true">
    * Yes
@@ Line 328: / Line 331: @@
 </doodle>
-) Introduce lazy_destroy option.
+) Introduce lazy_destroy option to session_start() option.
 <doodle title="Lazy destroy option" auth="user" voteType="single" closed="true">
    * Yes

Differences

Page Tools