CI v1.6.1 Core change "feature"?!?

[eluser]Michael;[/eluser]
Please excuse the slight hostility... I don't mean to be ... really.

From the Change log:

# Added $_SERVER, $_FILES, $_ENV, and $_SESSION to sanitization of globals.

Seriously?! $_SESSION ... sanitized?!?!

Now, I understand, to some degree, removing $_GET ... but $_SESSION!?!? Come on... CI Sessions only allow for 4kb of data ... that is just fracking insane!

Can someone *PLEASE* offer up some explanation on this one?

[eluser]wiredesignz[/eluser]
The $GLOBALS array is sanitized, $_SESSION is one of the protected items and is not cleared.
Which is the equivilent to register_globals = Off

[eluser]Michael;[/eluser]
I don't know if I follow what yuou are saying... The change log says they added $_SESSION to the sanitization list ... how, therefore does it not get cleared?

[eluser]wiredesignz[/eluser]
Study the code in the Input library and see for yourself.

[eluser]Edemilson Lima[/eluser]
Sanitization means filter the data against bad input from the user, not complete data erase.

[eluser]Michael;[/eluser]
Ah... See, now that makes sense. When I say I'm going to Sanitize something it means removal, usually complete ... like passwords, or other significant or confidential data.

Obviously I'm glad I'm wrong in this regard and it *REALLY* did not make any sense to me that they would remove such data when the user guide points out that you can use the native sessions anyway.

[eluser]Edemilson Lima[/eluser]
If the framework clears the $_SESSION array, I should always do comment the line that do this.