Session Management Library.
Install via composer:
composer require minphp/session:dev-master
TODO
Session Management Library
The current behavior of the session is to set and manage only the PHP session cookie with current php ini values.
However, some cookie management features from minPHP 0.x are no longer present:
Since the PDOHandler is a custom session handler for storing sessions in a database, allowing the session cookie to be set with a different TTL (for keep-alive) would necessitate the database session support a custom TTL to be used for the expire date as well, in order to keep the client and server session TTL in sync.
PdoHandler::read has two issues:
It prepares a SELECT statement and executes it, but does not fetch (PDOStatement::fetch()) the result. Even if it did, it does not set the fetch mode correctly. The return value would be an array due to the default PDO::ATTR_DEFAULT_FETCH_MODE being PDO::FETCH_BOTH, not an object (PDO::FETCH_OBJ) that it is expecting.
session_regenerate_id(true)
appears to not regenerate the session in php7 as it does in php5.5.
The session handler (e.g. PdoHandler) does not get written to after the call to session_regenerate_id
, suggesting that the session needs to first be restarted.
It may have to do with the warning mentioned for that function @ http://php.net/manual/en/function.session-regenerate-id.php
Warning
Current session_regenerate_id does not handle unstable network well. e.g. Mobile and WiFi network. Therefore, you may experience lost session by calling session_regenerate_id.
You should not destroy old session data immediately, but should use destroy time-stamp and control access to old session ID. Otherwise, concurrent access to page may result in inconsistent state, or you may have lost session, or it may cause client(browser) side race condition and may create many session ID needlessly. Immediate session data deletion disables session hijack attack detection and prevention also.
The following error can be encountered if calling PdoHandler;:write too quickly when the session is determined not to exist (even if it does):
SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '08kjho7sasn0en1140833c3gj6' for key 'PRIMARY' on line 111 in \path\to\vendors\minphp\session\src\Handlers\PdoHandler.php
This happens during normal use when a page is loaded at about the same time as another page, or when multiple AJAX requests are made. This may be a race condition with checking and inserting a session.
Session values (e.g. "session.cookie_path") are supposed to be set before the session is active. If set when the session is active, they have no effect. However, as of php v7.2+, this is enforced by triggering a warning and an exception. I could not find this change documented in the php 7.2 changelog, but the following error occurs when calling the Session calls ini_set during an active session:
ini_set(): A session is active. You cannot change the session module's ini settings at this time on line 61 in \path\to\minphp\session\src\Session.php
PdoHandler implements the SessionHandlerInterface. In php7+, instances of SessionHandlerInterface::read must return a string. The PdoHandler does not always return a string, and in such cases, encounters the following fatal error:
session_regenerate_id(): Failed to create(read) session ID: user
Minphp\Session\Session maintains a boolean property $started and checks it before calling session_start(), but this can lead to an error (i.e. "A session had already been started") if the session is already active. In my particular use case, php is configured to auto-start a session--even via CLI--, so attempting to start the session via \Minphp\Session\Session leads to that error.
It would be better if the $started property was set by checking the actual session_status() rather than presuming it is only set inside of this class, i.e.:
$this->started = (session_status() === PHP_SESSION_ACTIVE);
Similar to #16, the Session cannot set php ini values via ini_set() after headers have already been sent. The following error will occur in php 7.2+:
ini_set(): Headers already sent. You cannot change the session module's ini settings at this time
Additionally, the session cannot be started if headers have been sent either.
session_start(): Cannot send session cache limiter - headers already sent
The session handler cannot be saved either:
session_set_save_handler(): Cannot change save handler when headers already sent
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.