rfc:session-lock-ini

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:session-lock-ini [2014/02/02 02:06]
yohgaki
rfc:session-lock-ini [2017/09/22 13:28] (current)
Line 1: Line 1:
  
-====== PHP RFC: Introduce ​session ​options - read_only, unsafe_lock,​ lazy_write and lazy_destroy ======+====== PHP RFC: Introduce ​session_start() ​options - read_only, unsafe_lock,​ lazy_write and lazy_destroy ======
   * Version: 1.6   * Version: 1.6
   * Date: 2014-02-02 ​   * Date: 2014-02-02 ​
   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net
-  * Status: ​Under Discussion+  * Status: ​Passed Proposal 1. 2 and 3 declined.
   * First Published at: http://​wiki.php.net/​rfc/​session-lock-ini   * First Published at: http://​wiki.php.net/​rfc/​session-lock-ini
  
Line 52: Line 52:
        ​         Close (Session data unchanged)        ​         Close (Session data unchanged)
  
-**Usage Tip for unsafe_lock=On:​ ** Update $_SESSION only when update is strictly needed. For example, change $_SESSION only when authentication/​authorization information has changed.+**Usage Tip for unsafe_lock=On:​ ** Update $_SESSION only when update is strictly needed. For example, change $_SESSION only when authentication/​authorization information has changed. Alternatively,​ user may start all session with read_only=TRUE and reopen session with read/write only when authentication/​authorization information has to be changed.
  
  
Line 62: Line 62:
   * Script B accessed to server with old session ID   * Script B accessed to server with old session ID
  
-Current session module(session_destroy()/​session_regenerate_id()) simply deletes session data with $delete_old_session=true. When $delete_old_session=false(default),​ session_regenerate_id() simply creates new session ID and leave old session ID/data.+Current session module(session_destroy()/​session_regenerate_id()) simply deletes session data with $delete_old_session=true. When $delete_old_session=false(default),​ session_regenerate_id() simply creates new session ID and leaves ​old session ID/data.
  
 Even when old session ID is destroyed, script B can access server with old session ID. Without session.strict_mode=On,​ session module may reinitialize session data with old ID which may be known to attackers. Even when old session ID is destroyed, script B can access server with old session ID. Without session.strict_mode=On,​ session module may reinitialize session data with old ID which may be known to attackers.
Line 94: Line 94:
  
  
-===== Proposal 2 - lazy_wirte ​=====+===== Proposal 2 - lazy_write ​=====
  
 Introduce lazy_write option to session_start() that enable/​disable lazy session data writing. Introduce lazy_write option to session_start() that enable/​disable lazy session data writing.
Line 279: Line 279:
 **Cons** **Cons**
   - Misuse of this feature could be a cause of bugs.   - Misuse of this feature could be a cause of bugs.
 +  - Open all session with read_only=TRUE and reopen session for writing as it is needed, would be safer for average users. (We may better to promote this usage pattern)
  
 **4) lazy_destroy** that allows delayed session data deletion for concurrent accesses and reliable session_regenerate_id() operation. **4) lazy_destroy** that allows delayed session data deletion for concurrent accesses and reliable session_regenerate_id() operation.
Line 298: Line 299:
  
 ===== Benchmark ===== ===== Benchmark =====
 +
 +Note: read_only=on will yield better result than this.
  
 == lazy_write: on, unsafe_lock:​ on == == lazy_write: on, unsafe_lock:​ on ==
Line 314: Line 317:
 Please vote feature by feature. Please vote feature by feature.
  
-The voting period is 2014/02/03 until 2014/02/10.+The voting period is 2014/02/12 until 2014/02/19.
  
 1,2) Introduce read_only, lazy_write to session_start() option. ​ 1,2) Introduce read_only, lazy_write to session_start() option. ​
Line 322: Line 325:
 </​doodle>​ </​doodle>​
  
-3) Introduce unsafe_lock option. ​+3) Introduce unsafe_lock ​option to session_start() ​option. ​
 <doodle title="​Unsafe lock option"​ auth="​user"​ voteType="​single"​ closed="​true">​ <doodle title="​Unsafe lock option"​ auth="​user"​ voteType="​single"​ closed="​true">​
    * Yes    * Yes
Line 328: Line 331:
 </​doodle>​ </​doodle>​
  
-4) Introduce lazy_destroy option. ​+4) Introduce lazy_destroy ​option to session_start() ​option. ​
 <doodle title="​Lazy destroy option"​ auth="​user"​ voteType="​single"​ closed="​true">​ <doodle title="​Lazy destroy option"​ auth="​user"​ voteType="​single"​ closed="​true">​
    * Yes    * Yes
rfc/session-lock-ini.1391306819.txt.gz · Last modified: 2017/09/22 13:28 (external edit)