Hi Rasmus,

On Wed, Feb 4, 2015 at 1:20 AM, Rasmus Lerdorf <ras...@lerdorf.com> wrote:

> Hey Yasuo, I noticed that you removed the invalid_session_id boolean
> from php_session.h. For extensions that do:
>
>   PS(invalid_session_id) = 1;
>
> what is the new way for them?
>

At first, PS(invalid_session_id) was never worked as it supposed. It wasn't
used to
generate new session ID when session ID is invalid...

To notify invalid session ID to session module, please use
PS_FUNC_VALIDATE_SID().

If it returns FAILURE, session module creates new session ID by using
PS_FUNC_CREATE_SID().
If PS_FUNC_CREATE_SID() is not implemented, session module uses the default
php_session_create_id().

For save handlers, there are old save handler definitions PS_FUNCS,
PS_FUNCS_SID. New
save handlers are supposed to use PS_FUNCS_UPDATE_TIMESTAMP. It requires to
implement
PS_CREATE_SID, if save handler does not need custom session ID, the default
php_session_create_id()
may simply be called. However, session ID collision is better to be checked
like "files" handler. With
collision check in PS_CREATE_SID_FUNC(), collision never happens.

 /*
 * Create session ID.
 * PARAMETERS: PS_CREATE_SID_ARGS in php_session.h
 * RETURN VALUE: Valid session ID(zend_string *) or NULL for FAILURE.
 *
 * PS_CREATE_SID_FUNC() must check collision. i.e. Check session data if
 * new sid exists already.
 * *mod_data is guaranteed to have non-NULL value.
 * NOTE: Default php_session_create_id() does not check collision. If
 * NULL is returned, session module create new ID by using
php_session_create_id().
 * If php_session_create_id() fails due to invalid configuration, it raises
E_ERROR.
 * NULL return value checks from php_session_create_id() is not required
generally.
 */
PS_CREATE_SID_FUNC(files)
{
    zend_string *sid;
    int maxfail = 3;
    PS_FILES_DATA;

    do {
        sid = php_session_create_id((void**)&data);
        if (!sid) {
            if (--maxfail < 0) {
                return NULL;
            } else {
                continue;
            }
        }
        /* Check collision */
        /* FIXME: mod_data(data) should not be NULL (User handler could be
NULL) */
        if (data && ps_files_key_exists(data, sid->val) == SUCCESS) {
            if (sid) {
                zend_string_release(sid);
                sid = NULL;
            }
            if (--maxfail < 0) {
                return NULL;
            }
        }
    } while(!sid);

    return sid;
}

Summary for new save handler
 - Use PS_FUNCS_UPDATE_TIMESTAMP/PS_MOD_UPDATE_TIMESTAMP
 - PS_VALIDATE_SID() returns FAILURE for uninitialized session ID, anything
   save handler decides as invalid session ID. Otherwise, return SUCCESS.
 - PS_CREATE_SID() should check session ID collision. Return NULL for
failure.
 - PS_UPDATE_TIMSTAMP_FUNC() must update session data timestamp. e.g.
   touch file for "files", memcache updates timestamp by read access so
return
   SUCCESS simply.

I added comments to ext/session/mod_files.c for save handler developers.
Please refer to it also.

Regards,

--
Yasuo Ohgaki
yohg...@ohgaki.net

Reply via email to