The current behavior of the session is to set and manage only the PHP session cookie with current php ini values.

However, some cookie management features from minPHP 0.x are no longer present:

• cookie keep-alive
• cookie removal (not regeneration)
• support for adding additional custom cookies (not necessarily needed, but useful)

Since the PDOHandler is a custom session handler for storing sessions in a database, allowing the session cookie to be set with a different TTL (for keep-alive) would necessitate the database session support a custom TTL to be used for the expire date as well, in order to keep the client and server session TTL in sync.

PdoHandler::read has two issues:

1. It cannot return a value (due to error: using property of non-object)
2. It does not fetch a value to return

It prepares a SELECT statement and executes it, but does not fetch (PDOStatement::fetch()) the result. Even if it did, it does not set the fetch mode correctly. The return value would be an array due to the default PDO::ATTR_DEFAULT_FETCH_MODE being PDO::FETCH_BOTH, not an object (PDO::FETCH_OBJ) that it is expecting.

session_regenerate_id(true) appears to not regenerate the session in php7 as it does in php5.5.

The session handler (e.g. PdoHandler) does not get written to after the call to session_regenerate_id, suggesting that the session needs to first be restarted.

It may have to do with the warning mentioned for that function @ http://php.net/manual/en/function.session-regenerate-id.php

Warning
Current session_regenerate_id does not handle unstable network well. e.g. Mobile and WiFi network. Therefore, you may experience lost session by calling session_regenerate_id.

You should not destroy old session data immediately, but should use destroy time-stamp and control access to old session ID. Otherwise, concurrent access to page may result in inconsistent state, or you may have lost session, or it may cause client(browser) side race condition and may create many session ID needlessly. Immediate session data deletion disables session hijack attack detection and prevention also.

The following error can be encountered if calling PdoHandler;:write too quickly when the session is determined not to exist (even if it does):

SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '08kjho7sasn0en1140833c3gj6' for key 'PRIMARY' on line 111 in \path\to\vendors\minphp\session\src\Handlers\PdoHandler.php

This happens during normal use when a page is loaded at about the same time as another page, or when multiple AJAX requests are made. This may be a race condition with checking and inserting a session.

Session values (e.g. "session.cookie_path") are supposed to be set before the session is active. If set when the session is active, they have no effect. However, as of php v7.2+, this is enforced by triggering a warning and an exception. I could not find this change documented in the php 7.2 changelog, but the following error occurs when calling the Session calls ini_set during an active session:

ini_set(): A session is active. You cannot change the session module's ini settings at this time on line 61 in \path\to\minphp\session\src\Session.php

PdoHandler implements the SessionHandlerInterface. In php7+, instances of SessionHandlerInterface::read must return a string. The PdoHandler does not always return a string, and in such cases, encounters the following fatal error:

session_regenerate_id(): Failed to create(read) session ID: user

Minphp\Session\Session maintains a boolean property $started and checks it before calling session_start(), but this can lead to an error (i.e. "A session had already been started") if the session is already active. In my particular use case, php is configured to auto-start a session--even via CLI--, so attempting to start the session via \Minphp\Session\Session leads to that error.

It would be better if the $started property was set by checking the actual session_status() rather than presuming it is only set inside of this class, i.e.:

$this->started = (session_status() === PHP_SESSION_ACTIVE);

Similar to #16, the Session cannot set php ini values via ini_set() after headers have already been sent. The following error will occur in php 7.2+:

ini_set(): Headers already sent. You cannot change the session module's ini settings at this time

Additionally, the session cannot be started if headers have been sent either.

session_start(): Cannot send session cache limiter - headers already sent

The session handler cannot be saved either:

session_set_save_handler(): Cannot change save handler when headers already sent