rfc:session_regenerate_id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:session_regenerate_id [2015/03/20 22:46]
yohgaki
rfc:session_regenerate_id [2015/03/21 01:23]
yohgaki
Line 7: Line 7:
   * Status: Under Discussion   * Status: Under Discussion
   * First Published at: http://​wiki.php.net/​rfc/​session_regenerate_id   * First Published at: http://​wiki.php.net/​rfc/​session_regenerate_id
 +  * Renamed: https://​wiki.php.net/​rfc/​precise_session_management
  
 ===== Introduction ===== ===== Introduction =====
 +
 +**This RFC is renamed**. Refer to the latest
 +
 +https://​wiki.php.net/​rfc/​precise_session_management
 +
 +
  
 Keeping HTTP session as secure as possible is what the session manager'​s task. **Session manager can improve HTTP session security without user code modification while keeping compatibility with existing applications.** Please note that this RFC is for session manager behavior. Keeping HTTP session as secure as possible is what the session manager'​s task. **Session manager can improve HTTP session security without user code modification while keeping compatibility with existing applications.** Please note that this RFC is for session manager behavior.
Line 68: Line 75:
 for old session data. This is pseudocode. User will never see $_SESSION['​__SESSION_DESTORY_TTL__'​] as it is removed/​added upon session data serialization internally in session module. ​ for old session data. This is pseudocode. User will never see $_SESSION['​__SESSION_DESTORY_TTL__'​] as it is removed/​added upon session data serialization internally in session module. ​
  
-$_SESSION['​__SESSION_DESTORY_TTL__'​] also stores new session ID when TTL is set by session_regenerate_id(). ​+$_SESSION['​<​nowiki>​__SESSION_DESTORY_TTL__</​nowiki>​'] also stores new session ID when TTL is set by session_regenerate_id(). ​
  
    ​integer_string_timestamp\0string_session_id    ​integer_string_timestamp\0string_session_id
Line 74: Line 81:
 If browser accesses to be deleted session (old session), session module uses new session ID rather than old and try to set correct new ID. i.e. Send new session ID cookie to browser. This prevents lost session under unstable network. If browser accesses to be deleted session (old session), session module uses new session ID rather than old and try to set correct new ID. i.e. Send new session ID cookie to browser. This prevents lost session under unstable network.
  
-If session module finds $_SESSION['​__SESSION_DESTORY_TTL__'​] and timestamp is old, delete old session data and create new session with new session ID. E_WARNING error is raised for this because it means either too short TTL or user is under attack.+If session module finds $_SESSION['​<​nowiki>​__SESSION_DESTORY_TTL__</​nowiki>​'] and timestamp is old, delete old session data and create new session with new session ID. E_WARNING error is raised for this because it means either too short TTL or user is under attack.
  
 When session_regenerate_id(true)/​session_destroy(true) is called, session module destroy session data immediately. When session_regenerate_id(true)/​session_destroy(true) is called, session module destroy session data immediately.
  
-Users may add $_SESSION['​__SESSION_DESTORY_TTL__'​]. When this is happen, session module raise E_WARNING for this.+Users may add $_SESSION['​<​nowiki>​__SESSION_DESTORY_TTL__</​nowiki>​']. When this is happen, session module raise E_WARNING for this.
  
  
Line 94: Line 101:
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
-  * If user script has __SESSION_DESTROY_TTL__ key in $_SESSION, it may break application.+  * If user script has <​nowiki>​__SESSION_DESTROY_TTL__</​nowiki> ​key in $_SESSION, it may break application.
   * Raised error may break application.   * Raised error may break application.
  
Line 135: Line 142:
  
  
-===== Proposed Voting Choices ​=====+===== Vote =====
  
-  * Add __SESSION_DESTORY_TTL__ time stamp Yes/No+  * Add <​nowiki>​__SESSION_DESTORY_TTL__</​nowiki> ​time stamp Yes/No
  
  
Line 147: Line 154:
  
   * http://​us3.php.net/​session_regenerate_id   * http://​us3.php.net/​session_regenerate_id
 +  * https://​bugs.php.net/​bug.php?​id=69127 (Bug report)
 +  * https://​wiki.php.net/​rfc/​session-lock-ini#​proposal_4_-_lazy_destroy (Previous attempt)
  
 ===== ChangeLog ===== ===== ChangeLog =====
rfc/session_regenerate_id.txt · Last modified: 2017/09/22 13:28 (external edit)