php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #8978 Add a 'readonly' possibility to the session module
Submitted: 2001-01-29 06:21 UTC Modified: 2002-01-06 13:05 UTC
From: Maxim Derkachev <kot at books dot ru> Assigned:
Status: Closed Package: Feature/Change Request
PHP Version: 4.0.4pl1 OS:
Private report: No CVE-ID: None
 [2001-01-29 06:21 UTC] Maxim Derkachev <kot at books dot ru>
Just faced the fact that the possibility to call session 'readonly' 
should be added. 
For example, when somebody calls a framed pages where all 
frames are php scripts that needs session variables. But in this 
case only one of them should be allowed to write session state, 
because every frame would write session state in an unpredictable order, 
and variables registered/changed in one frame could be overwritten 
by other frames, and that would definitely break an application. 
I suggest session_start could take an optional READONLY flag to 
disable write of the session data during the page shutdown.
The idea is similar to call page_close() on only one frame in a framed page in PHPLib-based applications.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-05-16 04:02 UTC] Maxim Derkachev <kot at books dot ru>
just made a patch against the current sources (session.c and php_session.h).

*** php_session.h.orig  Tue May 15 15:16:50 2001
--- php_session.h       Tue May 15 15:23:26 2001
***************
*** 96,100 ****
--- 96,103 ----
        zend_bool define_sid;
        zend_bool use_cookies;
+       int readonly;
  } php_ps_globals;
+
+ #define SESS_READONLY 1

  extern zend_module_entry session_module_entry;
*** session.c.orig      Tue May 15 15:16:04 2001
--- session.c   Wed May 16 11:54:31 2001
***************
*** 526,529 ****
--- 526,533 ----
        PLS_FETCH();

+       if (PS(readonly)) {
+               return;
+       }
+
        if (!PG(register_globals)) {
                if (!PS(http_session_vars)) {
***************
*** 899,902 ****
--- 903,911 ----
        zend_bool retval = SUCCESS;

+       if (PS(readonly)) {
+               php_error(E_WARNING, "Trying to destroy readonly session");
+               return FAILURE;
+       }
+
        if (PS(nr_open_sessions) == 0) {
                php_error(E_WARNING, "Trying to destroy uninitialized session");
***************
*** 1265,1270 ****
--- 1274,1297 ----
  PHP_FUNCTION(session_start)
  {
+       pval **flag;
        PSLS_FETCH();

+       if (ZEND_NUM_ARGS() > 1)
+               WRONG_PARAM_COUNT;
+
+       if (ZEND_NUM_ARGS() == 0 ) {
+               PS(readonly) = 0;
+       }
+       if (ZEND_NUM_ARGS() == 1 && zend_get_parameters_ex(1, &flag) != FAILURE) {
+               convert_to_long_ex(flag);
+               if (((int) ((*flag)->value.lval)) == SESS_READONLY) {
+                       PS(readonly) = 1;
+               }
+               else {
+                       PS(readonly) = 0;
+               }
+       }
+
+
        php_session_start(PSLS_C);

***************
*** 1314,1317 ****
--- 1341,1347 ----
        PSLS_FETCH();

+       if (PS(readonly))
+               return;
+
        if (PS(nr_open_sessions) == 0)
                RETURN_FALSE;
***************
*** 1353,1356 ****
--- 1383,1388 ----
        PSLS_FETCH();

+       REGISTER_LONG_CONSTANT("SESS_READ_ONLY", SESS_READONLY, CONST_CS);
+
        php_rinit_session_globals(PSLS_C);

***************
*** 1404,1407 ****
--- 1436,1440 ----
        PS(module_number) = module_number;
        REGISTER_INI_ENTRIES();
+       REGISTER_LONG_CONSTANT("SESS_READ_ONLY", SESS_READONLY, CONST_CS);
        return SUCCESS;
  }





 [2001-05-16 04:17 UTC] Maxim Derkachev <kot at books dot ru>
Forgot to include the batteries :)
After the patch above is applied, one could do:
session_start(SESS_READ_ONLY);
to start a readonly session. 
Functions that supposed to write the session data (core session functions, not actual savehandler functions) will be disabled.
On the other page, if session_start() is called without the  SESS_READ_ONLY flag, one could get the normal fully functional session, which will write the data. That would allow to use session in framed pages, when one frame is allowed to change the session data and another frames only read the data, and in many other cases. E.g. for me the feature has become inevitable when I needed to write a support chat, which should read session variables, but should not change them and, the most important, it should not save them, because a client could browse other parts of the site  (and this could affect the sesson vars) while he is chatting with the support. Without the readonly possibility, the new session variables could be easily rewrited by the chat script with outdated values.
 [2002-01-06 13:05 UTC] jan@php.net
seems fixed then. reopen if I am wrong
 [2014-08-10 10:56 UTC] maurits at vdschee dot nl
Why was this closed? I think it is an important feature req.

see: http://www.leaseweblabs.com/2014/08/session-locking-non-blocking-read-sessions-php/
 [2014-09-01 00:45 UTC] greenreaper at hotmail dot com
You can read and close it immediately with session_write_close(), which frees the lock, but it's not quite the same.

For comparison, ASP.NET supports a ReadOnly flag which lets you specify that you will not write to the session:
http://msdn.microsoft.com/en-us/library/vstudio/16kf4xz0%28v=vs.100%29.aspx
 [2015-12-30 19:56 UTC] trobinson at gksystems dot com
This feature has been added in PHP 7:
session_start(['read_and_close'  => true])
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Aug 15 18:01:26 2020 UTC