PHP :: Bug #5887 :: Difficulty with session handlers

Bug #5887	Difficulty with session handlers
Submitted:	2000-08-01 06:00 UTC	Modified:	2000-08-02 19:53 UTC
From:	michael at michaelsmacshack dot com	Assigned:
Status:	Closed	Package:	Session related
PHP Version:	4.0.1pl2	OS:	Caldera - 2.3
Private report:	No	CVE-ID:	None

View Developer Edit

[2000-08-01 06:00 UTC] michael at michaelsmacshack dot com

First I have read the documentation both on this site and at ZEND.<br>
The test case was taken from the artical "PHP4 Customer Session <br>
Handler Test Script" by Ying Zhang (ying@zippydesign.com) at the<br>
HTTP://www.phpbuilder.com site.<br>
<br>
This is a complex issue.  It would be reasonable to expect PHP4 to<br>
behave according to what is set in PHP.ini as a default....  <br>
The following are my results using PHP4.0.1pl2.<br>
<br>
1) With 'session.save_handler' not defined (commented out):<br>
<br>
    The online documentation for the session_module_name states that <br>
    the 'module' can be set in the call:<br>
          "session_module_name() returns the name of the current <br>
           session module. If module is specified, that module <br>
           will be used instead."<br>
           <br>
    Any attempt to do so results in an error regardless of whether<br>
    or not any handler has been defined by the user:<br>
        Fatal error: Failed to initialize session module in <br>
        .../handler/test.php on line 38   <br>
        This occurs at the session_start() call.<br>
    <br>
    Not setting a 'module' will return the current handler.  With<br>
    nothing defined in PHP.ini, a value of 'files' is returned.<br>
    <br>
    If you define your 'user' handlers and call 'session_set_save_handler'<br>
    before the 'session_module_name' call, a value of user is returned.<br>
    However, any variables registered in this session Do Not maintain<br>
    their value.  It is like the handlers are accepted, but are not used.<br>
    <br>
    Thus, not having 'session.save_handler' defined in PHP.ini does not<br>
    help.  However, the 'files' modules does work (e.g. no defined user<br>
    handlers) in this situation.<br>
    <br>
2)  If we define 'session.save_handler' in PHP.ini with a value of 'files',<br>
    then the same results as above occur.<br>
    <br>
    Thus in this case, we have explicitly defined the handler as file and<br>
    the only thing that works is the 'files' module.<br>
    <br>
3)  If we define the 'session.save_handler' in PHP.ini with a value of<br>
    'user', then things change to the opposite.  You must define an <br>
    user handler.  If you do not, registered variables are not retained.<br>
    <br>
    Thus the 'user' module dos work in this case and the variables are<br>
    passed from invocation to invocation.<br>
    <br>
This leaves us with the following:<br>
    a.  One handler method can be defined at a time.  And only one.<br>
    b.  There is a very tight coupling between the PHP.ini file and<br>
        what can be done by the programmer.<br>
        <br>
Conclusions.  You can get a 'user' handler defined to track the session<br>
data in a database.  But, it must be only one way for all applications.<br>
(It could be different databases for different applications however.)<br>
It would seem that this is wrong.  It should be reasonable to define one<br>
behavior for one application and another for others.<br>
<br>
I hope this has help to clear up a few questions.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-08-01 08:59 UTC] stas@php.net

Please check latest CVS, it should be fixed there

[2000-08-02 19:36 UTC] michael at michaelsmacshack dot com

I see that you ask to check the latest cvs.  I pulled the
code for mod_files.h/c and php_session.h/c.  Recompiled
PHP4 pl2l with these changes.

It still has problems.  Use of session_module_name(user)
for example appears to set the handlers to'user', but the
value returned is files.  If a subsequent call is make
as session_module_name(); the current state ('user') is 
returned.  So it look like we're trying to set the correct
state, but not returning the "changed" state.

The above is minor.

It also appears that the session_module_name call *must*
occur before the setup of the "user" handlers.  Otherwize
we get an error with the session_start call complainingabout not being able to initialize the session. (see original report).

If session_module_name(files) is made and there are no
user handlers, all is well as would be expected.

if session_module_name(user) is made with user hadlers
then defined, things are not well.  No errors are reported,
but registered varriables are not retained.

The above is with no session.save_handler set in PHP.ini.

Again, if session.save_handler is set for either files or
user, that respective mode works but not the other.

Is there some other file(s) that I should have also included?
Am I doing the correct steps? e.g. session_module_name
followed by setting up the handlers....

[2000-08-02 19:53 UTC] sas@php.net

Yes, we are talking about other files. Especially about main.c IIRC. Please use a snapshot: http://snaps.php.net

Simply downloading one file might not work, because it might contain changes which depend on changes in other files.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun May 11 15:01:27 2025 UTC