Hi! Earlier today I was working on a small tool to invalidate PHP Sessions in a legacy system. I quickly found out about the `session_decode()` function, but unfortunately this function requires an active session and it is completely stateful, which means when I try to decode a specific session data, I end up overriding the existing session.
I also tried combining `ob_start()` with `session_id()`, `session_start()`, `session_destroy()` and `ob_end_clean()`, but this would still cause some weird behaviors by sending two PHP Cookies through the Response Headers. In an ideal world, I would override `session.serialize_handler` and be done with it, but that would require invalidating every existing session and some non-trivial changes in the 20 year old codebase. To my original question, is there any exposed API that would give userland access to the session deserializer algorithm in a stateless manner? Something like `session_deserialize(string $data): array;`, preferably in a way that 1) doesn't require or doesn't conflict with any existing session and 2) returns the session array without any side effects? If not, would this be something that requires an RFC? Are there any controversial thoughts around it? Thanks! -- Marco Deleu
