php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #46451 Session module needs a hook into the evaluator
Submitted: 2008-11-01 14:19 UTC Modified: 2020-11-16 16:24 UTC
Votes:6
Avg. Score:3.5 ± 1.4
Reproduced:3 of 4 (75.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: jost_boekemeier at yahoo dot de Assigned:
Status: Analyzed Package: Session related
PHP Version: * OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jost_boekemeier at yahoo dot de
New email:
PHP Version: OS:

 

 [2008-11-01 14:19 UTC] jost_boekemeier at yahoo dot de
Description:
------------
If a PHP object is stored into the PHP session, __destruct() is called before __sleep().

One way to fix this bug is to change the evaluator to call session_write_close() before calling __destruct().





Reproduce code:
---------------
<?php
/**
  * Check if __destruct() is called after __sleep()
  * exit with 1 if the test failed.
  */
class C {
  var $destroyed = false;
  function __destruct() {
    echo "destroy called\n";
    $this->destroyed = true;
  }
  function __sleep() {
    if ($this->destroyed) {echo("sleep failed. bleh!\n"); exit(1); }
    return array();
  }
  function __wakeup() {
    $this->destroyed = false;
  }
  function __toString() {
    return "C::".($this->destroyed?"destroyed":"active");
  }
}
session_id("session-write-close-bug");
session_start();
$a=@$_SESSION['a'];
if(!$a) {
  echo "new C\n";
  $a=new C();
  $_SESSION['a']=$a;
 }
$a=$_SESSION['a'];
echo "$a\n";
//session_write_close();
exit (0);
?>


Expected result:
----------------
result code 0

Actual result:
--------------
result code 1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-01-23 21:27 UTC] jani@php.net
-Package: Feature/Change Request +Package: Session related -PHP Version: 5.2.6 +PHP Version: *
 [2013-06-27 11:00 UTC] yohgaki@php.net
-Status: Open +Status: Analyzed -Package: Session related +Package: Scripting Engine problem
 [2013-06-27 11:00 UTC] yohgaki@php.net
Verified with PHP 5.4/5.5.

This is not a session problem, but a scripting engine.

__destruct() should be the last magic method to be called at shutdown. Is there 
any good reason for this behavior?
 [2020-11-16 16:24 UTC] cmb@php.net
-Package: Scripting Engine problem +Package: Session related
 [2020-11-16 16:24 UTC] cmb@php.net
> __destruct() should be the last magic method to be called at
> shutdown. Is there any good reason for this behavior?

The early calling of all destructors during request shutdown[1] has
been introduced to fix bug #30578.  It seems to me that the session
module should call php_session_save_current_state() earlier than in
its request shutdown handler.

[1] <https://github.com/php/php-src/blob/php-7.3.24/main/main.c#L1873>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 09 18:01:27 2024 UTC