symfony
diff --git a/‎composer.json
Lines changed: 1 addition & 1 deletion b/‎composer.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
Lines changed: 3 additions & 10 deletions b/‎src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
Lines changed: 3 additions & 10 deletions
diff --git a/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
Lines changed: 3 additions & 1 deletion b/‎src/Symfony/Bundle/FrameworkBundle/Resources/config/session.xml
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php
Lines changed: 115 additions & 0 deletions b/‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/AbstractSessionHandler.php
Lines changed: 115 additions & 0 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MemcachedSessionHandler.php
Lines changed: 15 additions & 5 deletions b/‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MemcachedSessionHandler.php
Lines changed: 15 additions & 5 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MongoDbSessionHandler.php
Lines changed: 7 additions & 5 deletions b/‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/MongoDbSessionHandler.php
Lines changed: 7 additions & 5 deletions
diff --git a/‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php
Lines changed: 10 additions & 6 deletions b/‎src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php
Lines changed: 10 additions & 6 deletions
@@ -30,7 +30,7 @@
         "symfony/polyfill-intl-icu": "~1.0",
         "symfony/polyfill-mbstring": "~1.0",
         "symfony/polyfill-php56": "~1.0",
-        "symfony/polyfill-php70": "~1.0",
+        "symfony/polyfill-php70": "~1.6",
         "symfony/polyfill-util": "~1.0"
     },
     "replace": {
 
@@ -908,24 +908,17 @@ private function registerSessionConfiguration(array $config, ContainerBuilder $c
             }
         }
 
-        $container->setParameter('session.storage.options', $options);
-
         // session handler (the internal callback registered with PHP session management)
         if (null === $config['handler_id']) {
             // Set the handler class to be null
             $container->getDefinition('session.storage.native')->replaceArgument(1, null);
             $container->getDefinition('session.storage.php_bridge')->replaceArgument(0, null);
         } else {
-            $handlerId = $config['handler_id'];
-
-            if ($config['metadata_update_threshold'] > 0) {
-                $container->getDefinition('session.handler.write_check')->addArgument(new Reference($handlerId));
-                $handlerId = 'session.handler.write_check';
-            }
-
-            $container->setAlias('session.handler', $handlerId)->setPrivate(true);
+            $options['lazy_write'] = 1;
+            $container->setAlias('session.handler', $config['handler_id'])->setPrivate(true);
         }
 
+        $container->setParameter('session.storage.options', $options);
         $container->setParameter('session.save_path', $config['save_path']);
 
         if (\PHP_VERSION_ID < 70000) {
 
@@ -52,7 +52,9 @@
             <argument>%session.save_path%</argument>
         </service>
 
-        <service id="session.handler.write_check" class="Symfony\Component\HttpFoundation\Session\Storage\Handler\WriteCheckSessionHandler" />
+        <service id="session.handler.write_check" class="Symfony\Component\HttpFoundation\Session\Storage\Handler\WriteCheckSessionHandler">
+            <deprecated>The "%service_id%" service is deprecated since Symfony 3.4 and will be removed in 4.0. Use the `session.lazy_write` ini setting instead.</deprecated>
+        </service>
 
         <service id="session_listener" class="Symfony\Component\HttpKernel\EventListener\SessionListener">
             <tag name="kernel.event_subscriber" />
 
@@ -0,0 +1,115 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\HttpFoundation\Session\Storage\Handler;
+
+/**
+ * @author Nicolas Grekas <p@tchwork.com>
+ */
+abstract class AbstractSessionHandler implements \SessionHandlerInterface, \SessionUpdateTimestampHandlerInterface
+{
+    protected $sessionName;
+
+    private $prefetchId;
+    private $prefetchData;
+
+    abstract protected function doRead($sessionId);
+
+    abstract protected function doWrite($sessionId, $data);
+
+    abstract protected function doDestroy($sessionId);
+
+    /**
+     * {@inheritdoc}
+     */
+    public function validateId($sessionId)
+    {
+        $this->prefetchId = $sessionId;
+        $this->prefetchData = $this->doRead($sessionId);
+
+        return '' !== $this->prefetchData;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function read($sessionId)
+    {
+        if (null !== $this->prefetchId) {
+            $prefetchId = $this->prefetchId;
+            $prefetchData = $this->prefetchData;
+            $this->prefetchId = $this->prefetchData = null;
+
+            if ($prefetchId === $sessionId) {
+                return $prefetchData;
+            }
+        }
+
+        return $this->doRead($sessionId);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function updateTimestamp($sessionId, $data)
+    {
+        return $this->write($sessionId, $data);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function write($sessionId, $data)
+    {
+        if ('' === $data) {
+            return $this->destroy($sessionId);
+        }
+
+        return $this->doWrite($sessionId, $data);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function destroy($sessionId)
+    {
+        if (!headers_sent()) {
+            $sessionCookie = sprintf(' %s=', urlencode($this->sessionName));
+            $sessionCookieWithId = sprintf('%s%s;', $sessionCookie, urlencode($sessionId));
+            $sessionCookieFound = false;
+            $otherCookies = array();
+            foreach (headers_list() as $h) {
+                if (0 !== stripos($h, 'Set-Cookie:')) {
+                    continue;
+                }
+                if (11 === strpos($h, $sessionCookie, 11)) {
+                    $sessionCookieFound = true;
+
+                    if (11 !== strpos($h, $sessionCookieWithId, 11)) {
+                        $otherCookies[] = $h;
+                    }
+                } else {
+                    $otherCookies[] = $h;
+                }
+            }
+            if ($sessionCookieFound) {
+                header_remove('Set-Cookie');
+                foreach ($otherCookies as $h) {
+                    header('Set-Cookie:'.$h, false);
+                }
+            } else {
+                setcookie($this->sessionName, '', 0);
+            }
+        }
+
+        return $this->doDestroy($sessionId);
+    }
+}
@@ -19,7 +19,7 @@
  *
  * @author Drak <drak@zikula.org>
  */
-class MemcachedSessionHandler implements \SessionHandlerInterface
+class MemcachedSessionHandler extends AbstractSessionHandler
 {
     /**
      * @var \Memcached Memcached driver
@@ -39,7 +39,7 @@ class MemcachedSessionHandler implements \SessionHandlerInterface
     /**
      * List of available options:
      *  * prefix: The prefix to use for the memcached keys in order to avoid collision
-     *  * expiretime: The time to live in seconds
+     *  * expiretime: The time to live in seconds.
      *
      * @param \Memcached $memcached A \Memcached instance
      * @param array      $options   An associative array of Memcached options
@@ -65,6 +65,8 @@ public function __construct(\Memcached $memcached, array $options = array())
      */
     public function open($savePath, $sessionName)
     {
+        $this->sessionName = $sessionName;
+
         return true;
     }
 
@@ -79,23 +81,31 @@ public function close()
     /**
      * {@inheritdoc}
      */
-    public function read($sessionId)
+    protected function doRead($sessionId)
     {
         return $this->memcached->get($this->prefix.$sessionId) ?: '';
     }
 
     /**
      * {@inheritdoc}
      */
-    public function write($sessionId, $data)
+    public function updateTimestamp($sessionId, $data)
+    {
+        return $this->memcached->touch($this->prefix.$sessionId, time() + $this->ttl);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function doWrite($sessionId, $data)
     {
         return $this->memcached->set($this->prefix.$sessionId, $data, time() + $this->ttl);
     }
 
     /**
      * {@inheritdoc}
      */
-    public function destroy($sessionId)
+    protected function doDestroy($sessionId)
     {
         $result = $this->memcached->delete($this->prefix.$sessionId);
 
 
@@ -19,7 +19,7 @@
  * @see https://packagist.org/packages/mongodb/mongodb
  * @see http://php.net/manual/en/set.mongodb.php
  */
-class MongoDbSessionHandler implements \SessionHandlerInterface
+class MongoDbSessionHandler extends AbstractSessionHandler
 {
     /**
      * @var \Mongo|\MongoClient|\MongoDB\Client
@@ -43,7 +43,7 @@ class MongoDbSessionHandler implements \SessionHandlerInterface
      *  * id_field: The field name for storing the session id [default: _id]
      *  * data_field: The field name for storing the session data [default: data]
      *  * time_field: The field name for storing the timestamp [default: time]
-     *  * expiry_field: The field name for storing the expiry-timestamp [default: expires_at]
+     *  * expiry_field: The field name for storing the expiry-timestamp [default: expires_at].
      *
      * It is strongly recommended to put an index on the `expiry_field` for
      * garbage-collection. Alternatively it's possible to automatically expire
@@ -97,6 +97,8 @@ public function __construct($mongo, array $options)
      */
     public function open($savePath, $sessionName)
     {
+        $this->sessionName = $sessionName;
+
         return true;
     }
 
@@ -111,7 +113,7 @@ public function close()
     /**
      * {@inheritdoc}
      */
-    public function destroy($sessionId)
+    protected function doDestroy($sessionId)
     {
         $methodName = $this->mongo instanceof \MongoDB\Client ? 'deleteOne' : 'remove';
 
@@ -139,7 +141,7 @@ public function gc($maxlifetime)
     /**
      * {@inheritdoc}
      */
-    public function write($sessionId, $data)
+    protected function doWrite($sessionId, $data)
     {
         $expiry = $this->createDateTime(time() + (int) ini_get('session.gc_maxlifetime'));
 
@@ -171,7 +173,7 @@ public function write($sessionId, $data)
     /**
      * {@inheritdoc}
      */
-    public function read($sessionId)
+    protected function doRead($sessionId)
     {
         $dbData = $this->getCollection()->findOne(array(
             $this->options['id_field'] => $sessionId,
 
@@ -38,7 +38,7 @@
  * @author Michael Williams <michael.williams@funsational.com>
  * @author Tobias Schultze <http://tobion.de>
  */
-class PdoSessionHandler implements \SessionHandlerInterface
+class PdoSessionHandler extends AbstractSessionHandler
 {
     /**
      * No locking is done. This means sessions are prone to loss of data due to
@@ -260,6 +260,8 @@ public function isSessionExpired()
      */
     public function open($savePath, $sessionName)
     {
+        $this->sessionName = $sessionName;
+
         if (null === $this->pdo) {
             $this->connect($this->dsn ?: $savePath);
         }
     public function read($sessionId)
     {
         try {
-            return $this->doRead($sessionId);
+            return parent::read($sessionId);
         } catch (\PDOException $e) {
             $this->rollback();
 
@@ -296,7 +298,7 @@ public function gc($maxlifetime)
     /**
      * {@inheritdoc}
      */
-    public function destroy($sessionId)
+    protected function doDestroy($sessionId)
     {
         // delete the record associated with this id
         $sql = "DELETE FROM $this->table WHERE $this->idCol = :id";
@@ -317,7 +319,7 @@ public function destroy($sessionId)
     /**
      * {@inheritdoc}
      */
-    public function write($sessionId, $data)
+    protected function doWrite($sessionId, $data)
     {
         $maxlifetime = (int) ini_get('session.gc_maxlifetime');
 
@@ -491,7 +493,7 @@ private function rollback()
      *
      * @return string The session data
      */
-    private function doRead($sessionId)
+    protected function doRead($sessionId)
     {
         $this->sessionExpired = false;
 
@@ -517,7 +519,9 @@ private function doRead($sessionId)
                 return is_resource($sessionRows[0][0]) ? stream_get_contents($sessionRows[0][0]) : $sessionRows[0][0];
             }
 
-            if (self::LOCK_TRANSACTIONAL === $this->lockMode && 'sqlite' !== $this->driver) {
+            if (\PHP_VERSION_ID < 70000 && self::LOCK_TRANSACTIONAL === $this->lockMode && 'sqlite' !== $this->driver) {
+                // Before PHP 7.0, session fixation was possible so locking could be needed even when creating a session.
+                // Starting with 7.0, secure random ids are generated so not concurrency is possible, thus this code path can be removed.
                 // Exclusive-reading of non-existent rows does not block, so we need to do an insert to block
                 // until other connections to the session are committed.
                 try {