|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #43980 Difficult to unserialize session data in user session save function
Submitted: 2008-01-30 02:49 UTC Modified: 2013-08-21 02:13 UTC
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: rhm31 at cam dot ac dot uk Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: * OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
23 - 7 = ?
Subscribe to this entry?

 [2008-01-30 02:49 UTC] rhm31 at cam dot ac dot uk
A custom session handler has a save function, which is given an opaque piece of session data. No functions are provided to modify this data, even though this can be useful in some cases.

As a workaround, session_decode and session_encode can be used. However, there are some problems:
1. BUG:session_start() must be called in the save function; presumably because in the save handler the session is already closed.
2. HARD TO USE:The functions do not simply take a string and return an array or vise-versa; instead they work directly on the $_SESSION array. This means you cannot easily use them for generic purposes.

A function that implements decode_session below could be added to the standard library, and the existing functions deprecated, since this function subsumes them.
Also, a similar function for encode_session.

Reproduce code:
function decode_session($session_string)
	foreach($_SESSION as $key => $value)
	$restored_session = $_SESSION;
	foreach ($_SESSION as $key => $value){
	return $restored_session;

Expected result:
The session_string to be decoded and returned as an array.

Actual result:
An empty array is returned with no error message when above function is called from a session save handler.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-17 00:47 UTC]
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6

 [2008-03-17 15:12 UTC] rhm31 at cam dot ac dot uk
From the documentation:


(PHP 4, PHP 5)

session_encode ? Encodes the current session data as a string
string session_encode ( void )

This signature is wrong, since it assumes you want to encode the current $_SESSION variable, but sometimes you don't want to and you want to encode something else.

This is not specific to PHP4 only.
 [2011-04-08 21:24 UTC]
-Package: Feature/Change Request +Package: Session related -Operating System: Linux +Operating System: * -PHP Version: 5 +PHP Version: *
 [2011-10-04 22:59 UTC] tklingenberg at lastflood dot net
If you want to encode something else (e.g. an array with keys as variable names), you can just mimic the PHP session handler by:

$encoded = '';
foreach($array as $name => $value)
    $encoded .= $name.'|'.serialize($value);

Ensure that the serialize handler as well as the session serialize handler is "PHP". Decoding is not that simple however, you would require a library as of now.

To have another tool in the box, a decode/encode function pair with a parameter of type "variable" array (like $_SESSION) and a parameter type string with the name of the serialize handler would be useful, maybe even two function pairs, one for session (variable list) and one for the actual values (un/serialize) but I think this won't work for the serially encoded values out of the box, so you always need to unserialize all, which means instantiation of objects etc..
 [2012-03-31 03:27 UTC]
-Assigned To: +Assigned To: yohgaki
 [2012-03-31 03:27 UTC]
I think next release should have new handler encode with plain serialize and set 
it to default.

This will lead to BC problems certain users, but current implementation is legacy 
one for supporting global session variables.
 [2013-08-21 02:13 UTC]
-Status: Assigned +Status: Closed
 [2013-08-21 02:13 UTC]
php_serialize will be available from PHP 5.5.4.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 24 06:01:31 2024 UTC