0

We need to make use of session_write_close() inside a lot of existing codes. But this looks dangerous to us, because PHP does the following - without giving any warning or error:

session_name('goodoldasdf');
session_start();

if (!empty($_SESSION['var'])) {
print ' Session-Data: '. $_SESSION['var'];
}

$_SESSION['var'] = "before";

session_write_close();

$_SESSION['var'] = "after"; // notice: definition after write close!

print ' B: '. $_SESSION['var'];

When we define a SESSION-var after session_write_close, PHP won't write the SESSION into MemcacheD session handler (as expected) - but it still use the overwrite inside the same script runtime.

Output: " Pseudo-Session-Data: after".

second run:

Output: " Session-Data: before Pseudo-Session-Data: after"

The question is: How to make sure, that PHP is not using pseudo SESSION-vars, that are not actually written into the sessions? Is there a way to get PHP warnings here? Or any suggestions to handle this issue?

Why we need to add the write close everywhere: After updating "PHP 5.x" to "PHP 7" everything slows down. Notably on AJAX-requests or simultaneous loading mutli-tabs. It's because PHP 7 seems to change it's SESSION-handling / blocking.

Very good demo: https://demo.ma.ttias.be/demo-php-blocking-sessions/

So we need to add session_write_close to a lot of scripts - without risking invalid sessions-values.

Improve this question
3
  • So use a non-blocking handler with optimistic locking. Commented Feb 19, 2019 at 17:31
  • got some more informations about it? Commented Feb 19, 2019 at 18:03
  • There is a non-blocking handler included here (in a framework that you can use to add storage substrates and the the the optimistic locking as desperate concerns) phpclasses.org/package/… Commented Feb 19, 2019 at 18:59

2 Answers 2

Reset to default
1

You can look at the output of session_status() (Docs)

switch(session_status()) {
    case PHP_SESSION_DISABLED:
        die('Sessions disabled on this server');
    case PHP_SESSION_NONE:
        die('Session has not been started, or has been closed');
    case PHP_SESSION_ACTIVE:
        die('There is currently an active session');
}

You can utilise this with a wrapper function for getting / setting session variables.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for your comment. Checking the session_status everytime before writing to SESSION seems laborious. I'm wondering if PHP got any global error handling on this.
1

Instead of session_write_close(); write your own function and unset the superglobal:

function session_stop() {
    session_write_close();
    unset($_SESSION);
}

Now you will get:

Notice: Undefined variable: _SESSION in file X line Y

Improve this answer

1 Comment

You would also not be able to read the session-data anymore, aren't you?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.