Garvin Hicking a écrit :
Hi!
(I can only agree to what Michal said - it's only not implemented because nobody got down to do it)
If you're going to implement this, do not forget that sessions should work also without cookies enabled.
I agree with sessions. Even if we ask as a requirement PHP 4.1.0 minimum, maybe it's better to have the choice of using sessions or not. We could look the possibility of using some kind of plugin mechanism for passing data.
There is also a problem about which Marc and I talked in the past. We should not store sensitive information like passwords in sessions, as usually all session data can be accessed from untrusted users on the same webserver, as session files are readable for everyone usually.
We currently use blowfish for hiding user name and password in the cookies, so we should continue this way with sessions. But other sensitive data contained in a query (a social security number, for example) may find it's way in session data, so we have to deal with this. Encrypt everything? With mcrypt it would not be too bad, without mcrypt, ouch.
Also we need to think about what bad can happen when someone hijacks your session id, or uses session fixation.
Regards, Garvin