|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2017-03-16 07:25 UTC] greedy dot ivan at gmail dot com
Description:
------------
When session.use_strict_mode is on and custom session handler is wrapped upon 'files' internal handler, session id doesn't regenerate if session id doesn't exist.
If you delete session file and rerun, script must create file with new session id.
It works without session_set_save_handler as expected.
Where session_set_save_handler is set, session id doesn't regenerate.
So, you cannot simply extend internal handler with crypt/decrypt (or something else), because you must redefine open method and all internal logic of finding session file.
Test script:
---------------
session_module_name('files');
ini_set('session.use_strict_mode', '1');
class MySessionHandler extends SessionHandler{}
session_set_save_handler(new MySessionHandler(), true);
session_start();
var_dump(session_id());
Expected result:
----------------
if you delete session file, next run show you another session_id
Actual result:
--------------
You always give the same session id
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Apr 20 07:01:29 2024 UTC |
It doesn't work either. I can't use class MySessionHandler extends SessionHandler { public function validateId($key){ return parent::validateId($key); } } because SessionHandler::validateId() is not defined. Is there any method to wrap internal 'files' handler with use_strict_mode?Because of ignoring use_strict_mode flag when 'files' session handler is exposed, custom validateId method must be implemented that depends on internal realization of file storage mechanism. This is a minimal implementation: <?php session_module_name('files'); ini_set('session.use_strict_mode', '1'); session_set_save_handler(new MySessionHandler(), true); session_start(); var_dump(session_id()); class MySessionHandler extends SessionHandler { /** * Getting full path to session file * * It's depend on internal realization of 'files' hander. * Must be reviewed after each php release. */ private function getFullPathName(string $key) : string { if (empty($filename = session_save_path())) { $filename = sys_get_temp_dir(); } elseif (strpos($filename, ';') !== false) { $data = explode(';', $filename); $count = $data[0]; $filename = end($data); for ($i = 0; $i < $count; $i++) { $filename .= '/' . $key[$i]; } } return $filename.'/sess_'.$key; } public function validateId($key) { return file_exists($this->getFullPathName($key)); } }I've run into this issue myself and believe it is a bug. The SessionHandler class is described as "a special class that can be used to expose the current internal PHP session save handler". So the expectation is that using SessionHandler as-is will provide the same functionality as if you had not set any save handler, but in practice this will disable the 'use_strict_mode' option. session_module_name('files'); ini_set('session.use_strict_mode', '1'); session_set_save_handler(new SessionHandler(), true); // This breaks strict_mode The root issue is that the SessionHandler class does not implement validateId(). With no other way to expose the internal handler for validating the id, we are forced to figure out how the internal files storage works and implement the validation manually.