PHP :: Request #69394 :: SessionHandler should not used previously defined save handler as its base class

Request #69394	SessionHandler should not used previously defined save handler as its base class
Submitted:	2015-04-07 13:19 UTC	Modified:	2016-08-27 06:40 UTC
From:	deivid dot garcia dot garcia at gmail dot com	Assigned:	yohgaki (profile)
Status:	Assigned	Package:	Session related
PHP Version:	any	OS:	any
Private report:	No	CVE-ID:	None

View Developer Edit

[2015-04-07 13:19 UTC] deivid dot garcia dot garcia at gmail dot com

Description:
------------
When using the SessionHandler class (that as per documentation wraps over the current native handler set in session.save_handler)to override the session handler with session_set_save_handler() PHP starts reporting that the session.save_handler is "user" after the override.

I can understand that this will happen when using a custom class that implements SessionHandlerInterface or directly passing custom methods to session_set_save_handler, but because we are wrapping over the underlying handler it would be better to report the original session.save_handler when doing an ini_get().

This could be further improved while keeping current behaviour if SessionHandlerInterface exposed a property or function where the Handler could report its name.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-04-09 21:13 UTC] yohgaki@php.net

-Type: Bug +Type: Feature/Change Request -Operating System: Windows +Operating System: any -PHP Version: 5.6.7 +PHP Version: any

[2016-08-27 06:40 UTC] yohgaki@php.net

-Summary: session.save_handler incorrectly reported +Summary: SessionHandler should not used previously defined save handler as its base class -Assigned To: +Assigned To: yohgaki

[2016-08-27 06:40 UTC] yohgaki@php.net

First of all, previously used save handler should not be used as base of SessionHandler. It's only useful to override save/write operation for encryption and/or session data serialization.

I would like to remove feature that SessionHandler object uses previous save handler as base class. 

To do that, we need "user defined serialize handler". There is implementation for this already. This feature was not implemented because of register_globals when session module is implemented.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 19:01:30 2025 UTC