Re: [PHP-DEV] [RFC] [Discussion] Deprecate GET/POST sessions

Mel_Dafert · March 14, 2024, 10:24am

From: Anton Smirnov <arokettu@outlook.com>
Date: Sun, 3 Mar 2024 at 19:56

Greetings!

As I know some session-related middlewares force custom-only session_id
handling by setting

  use_cookies = Off
  use_only_cookies = On

and then using session_id(...) directly

Example:
php-session/src/PhpSession.php at master · middlewares/php-session · GitHub

I think if you're making this hack impossible, you should provide an
alternative non-hackish way to do this.

Maybe just keep use_cookies = Off

A wild idea:

1) Add a temporary config

  # by default; current behavior;
  # throws a deprecation right from the introduction
  cookies.use_post_get = On
  # do not set the session from POST and GET
  cookies.use_post_get = Off

Remove it in 9 with the rest

2) keep use_cookies in PHP 9 with the updated meaning

I don't think it's a good solution but maybe it can spark a better one

Best,
Anton

I think the better option is to make this explicit and add a config along the lines of `automatic_session_detection` (name to be bikeshed) defaulting to `On`, and in your use-case setting it to `Off` explicitly.

Regards,
Mel

Kamil_Tekiela · March 20, 2024, 1:58pm

Hi Everyone,

Upon consideration of your comments, I have decided to adjust my RFC.
Please see the updated version
https://wiki.php.net/rfc/deprecate-get-post-sessions

Changes include:
- session.use_cookies will not be deprecated
- session.trans_sid_tags, session.trans_sid_hosts,
session.referer_check will get deprecated too (although I am not sure
how to implement the deprecation message yet)
- the SID constant will also be deprecated as part of this RFC
- mentioned that output_add_rewrite_var() will remain unaffected

Regards,
Kamil

Kamil_Tekiela · April 3, 2024, 11:08pm

If there are no more comments, I would like to put this RFC to vote in
the next two days.

Claude_Pache · April 4, 2024, 3:44pm

Le 4 avr. 2024 à 01:08, Kamil Tekiela <tekiela246@gmail.com> a écrit :

If there are no more comments, I would like to put this RFC to vote in
the next two days.

Hi,

1. In session_start(), it is possible to override ini settings like that:

session_start([ 'use_cookies' => '1', 'use_only_cookies' => '1', 'referer_check' => '' ]);

The relevant options should also be deprecated in that context.

2. A clarification: Suppose that I have `session.use_only_cookie = 1` in my ini file (no deprecation warning), and I call `ini_set("session.use_only_cookie", "1")` in my code (no-op). Will the `ini_set(...)` invocation trigger a deprecation warning?

—Claude

Kamil_Tekiela · April 5, 2024, 7:05pm

1. In session_start(), it is possible to override ini settings like that:
session_start([ 'use_cookies' => '1', 'use_only_cookies' => '1', 'referer_check' => '' ]);
The relevant options should also be deprecated in that context.

Yes, they are. You can see that in my draft PR

2. A clarification: Suppose that I have `session.use_only_cookie = 1` in my ini file (no deprecation warning), and I call `ini_set("session.use_only_cookie", "1")` in my code (no-op). Will the `ini_set(...)` invocation trigger a deprecation warning?

As mentioned in the RFC, only changing the option to the deprecated
value triggers the deprecation. You can verify this using my draft PR.
Similarly, if your INI file triggers a deprecations due to for example
session.use_only_cookie=0 and then in your PHP file you change it
using ini_set("session.use_only_cookie", "1") or using the argument to
session_start(), it will only trigger the deprecation during startup
and not during runtime of the script.