PHP :: Request #36696 :: __destruct() is called before serialize() when object stored in session

__destruct() is called before serialize() when object stored in session

Submitted:

2006-03-11 04:30 UTC

Modified:

2013-12-18 00:29 UTC

Votes:	2
Avg. Score:	2.0 ± 1.0
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

iain at iaindooley dot com

Assigned:

sas (profile)

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	iain at iaindooley dot com
New email:
PHP Version:		OS:

New Comment:

[2006-03-11 04:30 UTC] iain at iaindooley dot com

Description:
------------
if an object that impelements Serializable is stored in the session, and implements __destruct, then __destruct is called before serialize() when the script finishes execution.

Reproduce code:
---------------
<?
class SomeClass implements Serializable
{
     function SomeClass()
     {
     }

     public function unserialize($dat)
     {
         echo('called unseriazlize');
     }

     public function serialize()
     {
         echo('called serialize<br />');
     }

     function __destruct()
     {
         echo('called __destruct<br />');
     }
}

session_name('god');
session_start();
$_SESSION['var'] = new SomeClass();

?>


Expected result:
----------------
called serialize
called __destruct

Actual result:
--------------
called __destruct
called serialize

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-03-13 10:53 UTC] helly@php.net

The solution is easy: close the session before ending your scripts. Otherwise this is a session shutdown issue.

Assigning to primary session maintainer.

[2006-03-13 11:07 UTC] iain at iaindooley dot com

Just for clarity, i presume you mean using:

session_write_close();

before the scripts conclude.

[2006-03-13 19:54 UTC] helly@php.net

exactly

[2006-03-21 15:47 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

When putting objects into session or serializing them manually put the instantiation result into a variable 1st and then use it.

Ex. $a = new Object();
$_SESSION['obj'] = $a;

Doing so avoids temp var, which gets destroyed right away hence leading to the wrong order of operations.

[2006-03-21 23:34 UTC] iain at iaindooley dot com

i would say that the fact the order of operations changes for a temp var or an assigned var is a bug.

[2006-03-22 18:13 UTC] iliaa@php.net

There is nothing wrong with the order here. Temp var gets destroyed as soon as it is created, while session serialization happens at the end of the script.

[2006-03-23 00:27 UTC] iain at iaindooley dot com

in a garbage collection system, the destructor shouldn't be called on an object until the last reference to it is destroyed. if i do:

$_SESSION['var'] = new Var();

then a reference to that object that was created should be stored in the $_SESSION array, and __destruct() should not be called until the $_SESSION array is destoryed. so clearly the session array must be being destroyed before the objects within it are serialized, which isn't right.

[2008-06-26 09:38 UTC] margus dot sipria at gmail dot com

duplicate with a bug http://bugs.php.net/bug.php?id=33772

[2011-02-21 21:29 UTC] jani@php.net

-Package: Feature/Change Request +Package: Session related

[2013-06-27 22:20 UTC] yohgaki@php.net

-Package: Session related +Package: Scripting Engine problem -PHP Version: 5.1.2 +PHP Version: *

[2013-06-27 22:20 UTC] yohgaki@php.net

There is exact dup bug report, but I cannot find.
Workaround is call before session_write_close() before shutdown, but __destruct 
should be the last magicmethod to be called, isn't it?

[2013-08-02 12:25 UTC] info at djdb dot be

/**
 * @param mixed $user
 * @return void
 */
function setsessionuser($user){
	$_SESSION['user']=serialize($user);
}
/**
 * getsessionuser()
 * @return object User
 */ 
function getsessionuser(){
	return(isset($_SESSION['user']))?unserialize($_SESSION['user']):null;
}
class User extends User_data{
test and remake

[2013-12-18 00:28 UTC] sas@php.net

Hi,

please reopen ticket if this particular issue reoccurs.

Thank you for using PHP.

Best
Sascha

[2013-12-18 00:29 UTC] sas@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 20:00:01 2025 UTC