Skip to content

[RFC] Precise session management #1734

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 45 commits into from
Closed

[RFC] Precise session management #1734

wants to merge 45 commits into from

Conversation

yohgaki
Copy link
Contributor

@yohgaki yohgaki commented Jan 22, 2016

This PR is for "Precise session management" RFC.
https://wiki.php.net/rfc/precise_session_management

Current Status:
All features/changes are implemented. Please report issues if there are.

TODO:
Fix test dependency issues by fundamental test updates.

Yasuo Ohgaki added 4 commits January 10, 2016 09:48
WIP add ini values
949a02e
Merge branch 'master' into master-rfc-presice-session-management
9f3a2aa
WIP: precise session. Test fails due to new internal data "__PHP_SESS…
de296c5 
…ION__"

is in serialized data. Other than this, basic feature works.
WIP: Add session_info(), session_gc() function. Update tests
11b33f0 
TODO:
 - Add session internal data validation, otherwise broken data can crash PHP.
 - Remove dependency from previous tests and/or other PHP versions.
 - Use long parameter for session_destroy([long $duration_for_removing]).
@laruence laruence added the RFC label Jan 22, 2016
Yasuo Ohgaki added 25 commits January 22, 2016 19:45
WIP: Implement internal data validation. Make php_session_regenerate_…
96cc747 
…id().
Fix test failures
7b91c51
WIP: Fix tests, add tests. Use proper API. Do not validate PS(interna…
1aa288c 
…l_data) for malformed inputs.
WIP: Add session.num_sids config. Add tests. Needs some more works.
79a838a
WIP: Refactor. Need more tests.
492cd41
WIP: Refactor
e12405d
WIP: Refactor. Fix and add more tests.
f3d7d87
Merge branch 'master-rfc-precise-session-management' of github.com:yo…
1607bae 
…hgaki/php-src into master-rfc-precise-session-management
WIP: Implement session destroy duration
68ebbcd
Set httponly by default. Use sha1 as hash/5 for hash_bits_per_charact…
6a2cbee 
…er by default (already done in ini). Support disabling automatic session ID regeneration. Update php.ini-production/development.
Remove TTL_UPDATE. "session object" is misleading. Rename it to "sess…
5ff49c4 
…ion data".
Remove TLL
7591736
Fix WDDX test
be71591
Merge remote-tracking branch 'upstream/master' into master-rfc-precis…
b94541c 
…e-session-management
Add warning for __PHP_INTERNAL__ key in $_SESSION
9682c85
Disallow negative values for INIs. Add edge case tests.
da9ca92
Add invalid internal data test. Refactor a little. Add internal data …
6af3d5f 
…initialization and check in session_decode()
Fix standard/tests/serialize/bug70219_1.phpt. Add protection against …
185fd9f 
…malformed session data.
http_session_vars is REFVAL. Fixed tests. Warn session_decode() also
10d04a3
Do not regenerated when internal data is broken. Return correct statu…
9f1e7f9 
…s when transid is used
WIP
e291041
Add another expired sessoin access phpt
9731c8b
Fix test dependency between PHP versions. This fixes test depency, bu…
84f8f71 
…t more robust fix will follow. This will be done when this is merged
Merge remote-tracking branch 'upstream/master' into master-rfc-precis…
fd91912 
…e-session-management

Fixed conflict
Fix typo
38ffb3c
Yasuo Ohgaki added 12 commits January 29, 2016 13:51
GC function is supposed to return num of deleted sessions. -1 for err…
26facc2 
…ors. This is enforced for internal save handlers while user handlers are not. We need to clean up this someday.
hash_bits_per_character default is 5 now
7cba104
Destroy session, set status to disabled and make sure return from the…
8b6018b 
…re when fatal error happened.
Make security error message explict. Keep offending session data for …
405446b 
…investigation for a while.
session_destroy() made not to support destroy duration.
1d23531
Since shutdown function is not called. PS(id) can be used
512dee0
Add comments to code for eaiser review
c60693e
Add missing ZSTR_VAL
72981f7
Add comment for further improment
19e28ad
Do not consider save handlers that do not lock session data. Remove c…
e9d08e1 
…omment for this.
Merge remote-tracking branch 'upstream/master' into master-rfc-precis…
84f0579 
…e-session-management

 Conflicts:
	ext/session/session.c
	ext/session/tests/bug32330.phpt
	ext/session/tests/session_set_save_handler_variation5.phpt
Update comments
dd429c8
bwoebi
bwoebi reviewed Feb 14, 2016
View reviewed changes
ext/session/session.c
RETURN_BOOL(php_session_destroy() == SUCCESS);
if (immediate) {
/* Immediate destroy may cause random lost session by server side race condition. */
php_error_docref(NULL, E_NOTICE, "Immediate session data removal may cause random lost sessions. It is advised not to delete immediately");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a total no-go. A notice for an intentionally chosen behavior (explicitly passing true).
Warn about it in docs, but definitely not force the user to use the @ operator.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. Let make it documentation issue.

@bwoebi
Copy link
Member

bwoebi commented Feb 14, 2016

In general, please do not convert to E_RECOVERABLE_ERROR, but use an exception, when you want them to be catchable.

@yohgaki
Copy link
Contributor Author

yohgaki commented Feb 15, 2016

It's OK for me to convert E_RECOVERABLE_ERROR to exceptions. Current session module does not have any exception. I'm not sure which one should be used. If nobody insist, I'll change them to exceptions.

derickr
derickr reviewed Mar 9, 2016
View reviewed changes
ext/session/session.c

if (PS(session_status) != php_session_active) {
php_error_docref(NULL, E_WARNING, "Session is not active");
RETURN_FALSE;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The general 'etiquette' is that when there is no data, "NULL" should be returned, and not FALSE. Especially in error conditions like this.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. I'll change the return type.

@nikic
Copy link
Member

nikic commented Jul 10, 2016

Closing as the RFC has been declined (and is now split in parts).

@nikic nikic closed this Jul 10, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
RFC
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@yohgaki @bwoebi @nikic @derickr @Trainmaster @laruence