[PHP-DEV] Re: Fixing insane session_start() behaviors

Sun, 16 Oct 2016 18:20:08 -0700 

Hi Davey,

On Sun, Oct 16, 2016 at 6:08 PM, Yasuo Ohgaki <[email protected]> wrote:
>
> I was planning to fix session_start() behaviors by PHP 7.1, but I
> forgot to do this completely. Partial fix is merged currently.
>
> Following PR makes session_start() return FALSE when it cannot start
> session always.
>
> https://github.com/php/php-src/pull/2167
>
> In short, this patch fixes number of session_start()'s insane behaviors.
>
> Original session_start() is designed to continue execution as much as
> it can. This design caused a lot of issues including number of crash
> bugs. We've removed most issues caused by this design, but
> session_start() behaves insane way. e.g. Return TRUE and initializes
> $_SESSION array for useless session, improper error messages, memory
> leak, etc. (Please verify phpt changes how this patch makes
> session_start() behave sane way)
>
> This fix may change app behavior. However, it changes behavior only
> when there is useless session which is fatal anyway. Therefore, it
> could be applied to PHP 7.1. IMO.
>
> What do you think?

Since session_start() is made to set proper session status finally,
many bugs and inconsistencies can be fixed altogether.

I pushed patch fixes number of nonsense/inconsistent session function
behaviors. The additional patch is pushed so that it's easy to cherry
pick minimum fixes. The last push is the additional fixes.

 - Disallow nonsense function usage.
   . Do not allow to change cookie parameters when it has no effects.
     session_set_cookie_params() session_cache_limiter()
   . Dn not allow to change INI parameters when it cannot be changed.
     session_name() session_module_name() session_save_path()
session_set_save_handler() session_cache_expire()
   . Do not allow parameter for void parameter functions.
     session_unset() session_write_close() session_commit()
session_abort() session_reset()
 - Return function status as it should.
    . session_abort()  session_flush() session_commit()
session_write_close() session_reset() session_destroy()
 - Raise proper errors.
    . Many functions.

Session module allows insane usage currently. This will fix most of them.
I need to address nonsense INI usage. There will be one more push at
least for this.

Regards,

--
Yasuo Ohgaki
[email protected]

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to