[WIP][HttpFoundation] Trap fatal configuration condition. #4255
Conversation
session.auto_start actually starts a session the instant PHP starts using the php.ini defined session.save_handler and thus makes the entire PHP process incompatible with Symfony2 sessions. The setting also appears to be useless if set at runtime also.
Why ? What would prevent us from using the Session ? (Not speaking about the current code but technically ?) |
|
I'm really not sure this is a good idea. It would be better as part of the config.php/check.php scripts IMO, to give you a warning that your system may be misconfigured, but enforcing it like that may put people in trouble if they can not disable the option. |
|
@vicd - once a session has started it means PHP has bound itself to the session handlers (whatever was defined at PHP init - usually @Seldaek - in Symfony2 Full Stack framework world maybe it's OK, but as a standalone component you may not have a checks.php. The fact is, if this (rare) condition is met, it is a runtime error. The point is quite simple, if |
|
@Drak what about if you detect that doing session_write_close()? Then configuring it and calling session_start() should do the right thing no? |
|
@vicb - It's not related to #4208. What I am saying is that @Seldaek Maybe - I'll switch this to [WIP] status ad see, but it might be a bit too hacky since we're talking about environment. |
|
For reference, |
|
@Drak I think it is related - if the handler configuration is done in php.ini (rather than in the native handlers) then the Session component could use the PHP session no matter if it has already been (session.auto_)started. (PHP_INI_ALL implies PHP_INI_USER which allows updates from PHP code ( |
You cannot configure custom session handlers from php.ini, it can only be done in user-land after PHP has started. You can still/already configure native save handlers from php.ini and the Symfony2 handlers do not overwrite those settings. Look at the constructors of the This particular class performs housekeeping/management around the sessions data. Ini directives are not forced by default, except two values (use_cookies and cache_limiter which are sensible defaults). We give complete freedom to the developer as everything is explicitly set by the dev, not Symfony2 - this was discussed at length in some FrameworkBundle issues/PRs. |
This code has no relevence as session.auto_start's effect is pre userland runtime.
We agree here, the linked PR is about native handlers which is why it is related
When speaking about configuration, I mean the settings mentioned in the related PR (and not Coming back to my initial question: Is there anything that technically prevent supporting Sf sessions when auto_start is on ? (This PR proposes not to support this case). |
Symfony sessions have never supported this case and technically it's challenging (read not possible). Overall, this PR does not change anything - it simply highlights a condition where PHP would invisibly not use the save handler you have configured. I had assumed the setting would auto start sessions on demand - that would make sense and that is what I had coded for. |
|
I would not throw an exception but try to log an notice. |
|
@Drak what do you mean by "read not possible" when PHP sessions are auto-started ? |
|
What we do today (when using a native handler)
What should work (related to 4208)
Then why the following can't work:
|
|
Here is what I have been talking about https://bugs.php.net/bug.php?id=62015 Let's say you are using the PDO handler - by the time Symfony2 is ready to use the session it's already using the internal files handler. session.auto_start is absolutely 100% incompatible and the code should throw a runtime exception. Currently I have it as a PHP notice, but this is wrong, it should be an exception. Basically, the scope of |
|
@Drak: Why did you close this PR if you think this is the way to go? |
|
@Drak I should have been more explicit to make it clear: I was speaking using auto_start with native handlers (which is what the related PR is about). It is of course not possible to use a custom handler as they are configured by code ( However if a native handler is configured in the ini file (as in the related PR) there should be nothing preventing to the use of auto_start = 1. Changing |
|
@vicb - Yes indeed, but anything that starts the session except I believe The PHP.ini default is also off, which is a clear indication that it is not a sensible default any more. Interestingly even Zend_Session expressly forbids I further assert that if one is using Sf2 HttpFoundation in the first place, one can surely expect sessions to be used as we have documented. As documented we dont use |
Could you detail what may not work as intended ? If supporting autostart is only a matter of wrapping |
Bug fix: no
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass: yes
Fixes the following tickets: -
Todo: -
License of the code: MIT
It seems three is an unexpected behaviour in PHP - but basically the ini directive
session.auto_startactually starts a session the instant PHP initialises as opposed to "on-demand" when PHP actually needs a session.This means two things:
1the session will have already started, and if it was0, then setting it to1will have zero effect.1we cannot use the session.It seems like this runtime exception is wise. Fortunately, the default in
php.iniis forauto_start = 0.