rfc:session_regenerate_id

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:session_regenerate_id [2015/03/20 00:47]
yohgaki
rfc:session_regenerate_id [2017/09/22 13:28] (current)
Line 7: Line 7:
   * Status: Under Discussion   * Status: Under Discussion
   * First Published at: http://​wiki.php.net/​rfc/​session_regenerate_id   * First Published at: http://​wiki.php.net/​rfc/​session_regenerate_id
 +  * Renamed: https://​wiki.php.net/​rfc/​precise_session_management
  
 ===== Introduction ===== ===== Introduction =====
 +
 +**This RFC is renamed**. Refer to the latest
 +
 +https://​wiki.php.net/​rfc/​precise_session_management
 +
 +
  
 Keeping HTTP session as secure as possible is what the session manager'​s task. **Session manager can improve HTTP session security without user code modification while keeping compatibility with existing applications.** Please note that this RFC is for session manager behavior. Keeping HTTP session as secure as possible is what the session manager'​s task. **Session manager can improve HTTP session security without user code modification while keeping compatibility with existing applications.** Please note that this RFC is for session manager behavior.
Line 56: Line 63:
 ===== Proposal ===== ===== Proposal =====
  
-==== Add transparent ​__SESSION_TTL__ ​timestamp ====+==== Add transparent ​__SESSION_DESTROY_TTL__ ​timestamp ====
  
 **Add '​session_destory_ttl'​ INI directive**(INI_ALL,​ default 300 seconds) and **"​make sure old session is deleted certain period"​**. **Add '​session_destory_ttl'​ INI directive**(INI_ALL,​ default 300 seconds) and **"​make sure old session is deleted certain period"​**.
Line 66: Line 73:
 </​code>​ </​code>​
  
-for old session data. This is pseudocode. User will never see $_SESSION['​__SESSION_DESTORY_TTL__'​] as it is removed/​added upon session data serialization internally in session module.+for old session data. This is pseudocode. User will never see $_SESSION['​__SESSION_DESTORY_TTL__'​] as it is removed/​added upon session data serialization internally in session module.  
 + 
 +$_SESSION['<​nowiki>​__SESSION_DESTORY_TTL__</​nowiki>'​] also stores new session ID when TTL is set by session_regenerate_id().  
 + 
 +   ​integer_string_timestamp\0string_session_id 
 + 
 +If browser accesses to be deleted session (old session), session module uses new session ID rather than old and try to set correct new ID. i.e. Send new session ID cookie to browser. This prevents lost session under unstable network.
  
-If session module finds $_SESSION['​__SESSION_DESTORY_TTL__'​] and timestamp is old, delete old session data and create new session with new session ID. E_WARNING error is raised for this because it means either too short TTL or user is under attack.+If session module finds $_SESSION['​<​nowiki>​__SESSION_DESTORY_TTL__</​nowiki>​'] and timestamp is old, delete old session data and create new session with new session ID. E_WARNING error is raised for this because it means either too short TTL or user is under attack.
  
 When session_regenerate_id(true)/​session_destroy(true) is called, session module destroy session data immediately. When session_regenerate_id(true)/​session_destroy(true) is called, session module destroy session data immediately.
  
-Users may add $_SESSION['​__SESSION_DESTORY_TTL__'​]. When this is happen, session module raise E_WARNING for this.+Users may add $_SESSION['​<​nowiki>​__SESSION_DESTORY_TTL__</​nowiki>​']. When this is happen, session module raise E_WARNING for this.
  
  
Line 88: Line 101:
 ===== Backward Incompatible Changes ===== ===== Backward Incompatible Changes =====
  
-  * If user script has __SESSION_DESTROY_TTL__ key in $_SESSION, it may break application.+  * If user script has <​nowiki>​__SESSION_DESTROY_TTL__</​nowiki> ​key in $_SESSION, it may break application.
   * Raised error may break application.   * Raised error may break application.
  
Line 129: Line 142:
  
  
-===== Proposed Voting Choices ​=====+===== Vote =====
  
-  * Add __SESSION_DESTORY_TTL__ time stamp Yes/No+  * Add <​nowiki>​__SESSION_DESTORY_TTL__</​nowiki> ​time stamp Yes/No
  
  
Line 141: Line 154:
  
   * http://​us3.php.net/​session_regenerate_id   * http://​us3.php.net/​session_regenerate_id
 +  * https://​bugs.php.net/​bug.php?​id=69127 (Bug report)
 +  * https://​wiki.php.net/​rfc/​session-lock-ini#​proposal_4_-_lazy_destroy (Previous attempt)
  
 ===== ChangeLog ===== ===== ChangeLog =====
  
-  * 2015/03/30 - Change INI directive name.+  * 2015/03/21 - Added new session ID handling. 
 +  * 2015/​03/​20 ​- Change INI directive name.
   * 2014/03/19 - Add exception option as Stas suggested.   * 2014/03/19 - Add exception option as Stas suggested.
   * 2014/03/18 - Change RFC to propose time stamping.   * 2014/03/18 - Change RFC to propose time stamping.
   * 2013/10/30 - Added details and message option.   * 2013/10/30 - Added details and message option.
   * 2013/10/29 - Created RFC   * 2013/10/29 - Created RFC
rfc/session_regenerate_id.1426812444.txt.gz · Last modified: 2017/09/22 13:28 (external edit)