Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121762
Return-Path: <deleugyn@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79945 invoked from network); 22 Nov 2023 21:06:27 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Nov 2023 21:06:27 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id E4AED18002B
	for <internals@lists.php.net>; Wed, 22 Nov 2023 13:06:27 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_40,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <deleugyn@gmail.com>
Received: from mail-oi1-f179.google.com (mail-oi1-f179.google.com [209.85.167.179])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 22 Nov 2023 13:06:27 -0800 (PST)
Received: by mail-oi1-f179.google.com with SMTP id 5614622812f47-3b83fdab870so36345b6e.0
        for <internals@lists.php.net>; Wed, 22 Nov 2023 13:06:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1700687182; x=1701291982; darn=lists.php.net;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=9O8sna+c1HhMacOAjb8ffC7I1KqrArDtHz+tCPST3tA=;
        b=MW5TJTOWX+HnI0DfHDRNhRz02ogOaYQRs3WpqXd+DPzKebtTR8XtGpnO+1Plo7EKxQ
         sDZDEajdbh2mffPyACGbEcqIAce+4DGkOwl1AQ0q17i46Y6ACmP5u2+9MUDJBs2PMazI
         Ux3rVYRXhptFL3QF59ClgP1U0XNaG6zFtLUsWsLZHyKQsDGNa9XdeQcLTpwIQ3JZTBwT
         TEGSrfESD7pYo3yBvO41fgsnmn8OHKMcTYvUFNXR7H2YK1qfOxTERvPsTzNnmD488x5c
         AAzYugii7fo+BjkXZCX6y1ahipcHOUQnyOXGiWSmLZQGV92sjAshoyVxcCtzsXavaGoG
         i2CA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700687182; x=1701291982;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=9O8sna+c1HhMacOAjb8ffC7I1KqrArDtHz+tCPST3tA=;
        b=tR+KNDDUz1Pbdvgz/kNveVGH4JIXRvHJ3rfz+jnzWvmgOobRu2blDLJlsIJghWShKJ
         TrVnoDEhuixMuYt82Be9wiTdC6G+vZl4GPJdtXFAi/30Wxc0GxXts9yXcbeD4Z4I12YU
         wNgPmVPHLxImTi9iwiw8A3yT4+XaaNnv0dRf8AsV8+JsSqIxpkFQU6lcO0m1G7Ijt3yp
         xmIAeBoJV9NrErtL3hInCLpIhD4PyWV7BuhzZ967Ba4PHVW1wu64tGqZH9uKktfHfaUm
         CY2xux5yzFt0pUwwj8J3/o/4c6E3Bcnu+MHCj4x6z9o77XJxy6l7M1p6G7Km85PnIRsG
         bGiw==
X-Gm-Message-State: AOJu0YwsjqNCdpPDz9dGbEKS+oobcOM8RmZO8kGtJdqDY13qDbvSQgB7
	P6l2uJWx1TEtHzez+lHrAPuXeTpBqEGDrmbVrpe/qhr8
X-Google-Smtp-Source: AGHT+IEAx2nkTFb82uVTVz0NgI5CRunMt72DnF3iePWaksHZ2XC6J2Yk4/T13E5swNSlVFycYV6loK+l6D8LYp1q1uI=
X-Received: by 2002:a05:6358:5e19:b0:16b:9882:2b7 with SMTP id
 q25-20020a0563585e1900b0016b988202b7mr3195169rwn.3.1700687182156; Wed, 22 Nov
 2023 13:06:22 -0800 (PST)
MIME-Version: 1.0
Date: Wed, 22 Nov 2023 18:05:46 -0300
Message-ID: <CADK1yX+2DWPyRBvGh2bJdn+3ZfdgN0-kX5NaDuTfvMhioExF+A@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000005dd71e060ac41746"
Subject: Ability to session_decode() in a stateless manner?
From: deleugyn@gmail.com (Deleu)

--0000000000005dd71e060ac41746
Content-Type: text/plain; charset="UTF-8"

Hi!

Earlier today I was working on a small tool to invalidate PHP Sessions in a
legacy system. I quickly found out about the `session_decode()` function,
but unfortunately this function requires an active session and it is
completely stateful, which means when I try to decode a specific session
data, I end up overriding the existing session.

I also tried combining `ob_start()` with `session_id()`, `session_start()`,
`session_destroy()` and `ob_end_clean()`, but this would still cause some
weird behaviors by sending two PHP Cookies through the Response Headers.

In an ideal world, I would override `session.serialize_handler` and be done
with it, but that would require invalidating every existing session and
some non-trivial changes in the 20 year old codebase.

To my original question, is there any exposed API that would give userland
access to the session deserializer algorithm in a stateless manner?
Something like `session_deserialize(string $data): array;`, preferably in a
way that
1) doesn't require or doesn't conflict with any existing session and
2) returns the session array without any side effects?

If not, would this be something that requires an RFC? Are there any
controversial thoughts around it?

Thanks!

-- 
Marco Deleu

--0000000000005dd71e060ac41746--