Fix session in long-running apps#61
Conversation
| if ($this->sessionId !== null) { | ||
| session_id($this->sessionId); | ||
| } else { | ||
| session_id(session_create_id()); |
There was a problem hiding this comment.
What about collision check? session_create_id don't check collision if called before start session.
There was a problem hiding this comment.
I don't know. In symfony it's not check. May be to make custom session ID creating optional? Use boolean flag or callback or create SessionIdGeneratorInterface?
There was a problem hiding this comment.
I think this would be very non-intuitive for users
There was a problem hiding this comment.
I think this would be very non-intuitive for users
Then we must find solutions without collision risk. Otherwise we fix bug for longliving apps, but add new problem with collisions.
There was a problem hiding this comment.
What about this?
session_start($this->options);
$this->sessionId = session_create_id();
session_write_close();
session_id($this->sessionId);There was a problem hiding this comment.
What about this?
session_start($this->options); $this->sessionId = session_create_id(); session_write_close(); session_id($this->sessionId);
This will entail additional costs on read/write session data.
There was a problem hiding this comment.
Extra opening a session doesn't sound good to me.
There was a problem hiding this comment.
There's also https://www.php.net/manual/en/session.configuration.php#ini.session.use-strict-mode. We should take that into account.
4 participants
Fixes a bug for long-running applications: session is not resetted between requests. Session ids are UTF-safe, as this may be critical for some session handlers.