rfc:session-lock-ini

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:session-lock-ini [2014/02/02 02:11]
yohgaki
rfc:session-lock-ini [2017/09/22 13:28] (current)
Line 1: Line 1:
  
-====== PHP RFC: Introduce session options - read_only, unsafe_lock, lazy_write and lazy_destroy ======+====== PHP RFC: Introduce session_start() options - read_only, unsafe_lock, lazy_write and lazy_destroy ======
   * Version: 1.6   * Version: 1.6
   * Date: 2014-02-02    * Date: 2014-02-02 
   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net   * Author: Yasuo Ohgaki, yohgaki@ohgaki.net
-  * Status: Under Discussion+  * Status: Passed Proposal 1. 2 and 3 declined.
   * First Published at: http://wiki.php.net/rfc/session-lock-ini   * First Published at: http://wiki.php.net/rfc/session-lock-ini
  
Line 52: Line 52:
                 Close (Session data unchanged)                 Close (Session data unchanged)
  
-**Usage Tip for unsafe_lock=On: ** Update $_SESSION only when update is strictly needed. For example, change $_SESSION only when authentication/authorization information has changed. Alternatively, user may start all session with read_only=TRUE. Reopen session with read/write only when change authentication/authorization information has changed.+**Usage Tip for unsafe_lock=On: ** Update $_SESSION only when update is strictly needed. For example, change $_SESSION only when authentication/authorization information has changed. Alternatively, user may start all session with read_only=TRUE and reopen session with read/write only when authentication/authorization information has to be changed.
  
  
Line 62: Line 62:
   * Script B accessed to server with old session ID   * Script B accessed to server with old session ID
  
-Current session module(session_destroy()/session_regenerate_id()) simply deletes session data with $delete_old_session=true. When $delete_old_session=false(default), session_regenerate_id() simply creates new session ID and leave old session ID/data.+Current session module(session_destroy()/session_regenerate_id()) simply deletes session data with $delete_old_session=true. When $delete_old_session=false(default), session_regenerate_id() simply creates new session ID and leaves old session ID/data.
  
 Even when old session ID is destroyed, script B can access server with old session ID. Without session.strict_mode=On, session module may reinitialize session data with old ID which may be known to attackers. Even when old session ID is destroyed, script B can access server with old session ID. Without session.strict_mode=On, session module may reinitialize session data with old ID which may be known to attackers.
Line 94: Line 94:
  
  
-===== Proposal 2 - lazy_wirte =====+===== Proposal 2 - lazy_write =====
  
 Introduce lazy_write option to session_start() that enable/disable lazy session data writing. Introduce lazy_write option to session_start() that enable/disable lazy session data writing.
Line 279: Line 279:
 **Cons** **Cons**
   - Misuse of this feature could be a cause of bugs.   - Misuse of this feature could be a cause of bugs.
 +  - Open all session with read_only=TRUE and reopen session for writing as it is needed, would be safer for average users. (We may better to promote this usage pattern)
  
 **4) lazy_destroy** that allows delayed session data deletion for concurrent accesses and reliable session_regenerate_id() operation. **4) lazy_destroy** that allows delayed session data deletion for concurrent accesses and reliable session_regenerate_id() operation.
Line 298: Line 299:
  
 ===== Benchmark ===== ===== Benchmark =====
 +
 +Note: read_only=on will yield better result than this.
  
 == lazy_write: on, unsafe_lock: on == == lazy_write: on, unsafe_lock: on ==
Line 314: Line 317:
 Please vote feature by feature. Please vote feature by feature.
  
-The voting period is 2014/02/03 until 2014/02/10.+The voting period is 2014/02/12 until 2014/02/19.
  
 1,2) Introduce read_only, lazy_write to session_start() option.  1,2) Introduce read_only, lazy_write to session_start() option. 
Line 322: Line 325:
 </doodle> </doodle>
  
-3) Introduce unsafe_lock option. +3) Introduce unsafe_lock option to session_start() option. 
 <doodle title="Unsafe lock option" auth="user" voteType="single" closed="true"> <doodle title="Unsafe lock option" auth="user" voteType="single" closed="true">
    * Yes    * Yes
Line 328: Line 331:
 </doodle> </doodle>
  
-4) Introduce lazy_destroy option. +4) Introduce lazy_destroy option to session_start() option. 
 <doodle title="Lazy destroy option" auth="user" voteType="single" closed="true"> <doodle title="Lazy destroy option" auth="user" voteType="single" closed="true">
    * Yes    * Yes
rfc/session-lock-ini.1391307079.txt.gz · Last modified: 2017/09/22 13:28 (external edit)