|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #69394 SessionHandler should not used previously defined save handler as its base class
Submitted: 2015-04-07 13:19 UTC Modified: 2016-08-27 06:40 UTC
From: deivid dot garcia dot garcia at gmail dot com Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: any OS: any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-04-07 13:19 UTC] deivid dot garcia dot garcia at gmail dot com
When using the SessionHandler class (that as per documentation wraps over the current native handler set in session.save_handler)to override the session handler with session_set_save_handler() PHP starts reporting that the session.save_handler is "user" after the override.

I can understand that this will happen when using a custom class that implements SessionHandlerInterface or directly passing custom methods to session_set_save_handler, but because we are wrapping over the underlying handler it would be better to report the original session.save_handler when doing an ini_get().

This could be further improved while keeping current behaviour if SessionHandlerInterface exposed a property or function where the Handler could report its name.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-09 21:13 UTC]
-Type: Bug +Type: Feature/Change Request -Operating System: Windows +Operating System: any -PHP Version: 5.6.7 +PHP Version: any
 [2016-08-27 06:40 UTC]
-Summary: session.save_handler incorrectly reported +Summary: SessionHandler should not used previously defined save handler as its base class -Assigned To: +Assigned To: yohgaki
 [2016-08-27 06:40 UTC]
First of all, previously used save handler should not be used as base of SessionHandler. It's only useful to override save/write operation for encryption and/or session data serialization.

I would like to remove feature that SessionHandler object uses previous save handler as base class. 

To do that, we need "user defined serialize handler". There is implementation for this already. This feature was not implemented because of register_globals when session module is implemented.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 05 02:01:30 2024 UTC