Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:121763
Return-Path: <landers.robert@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 81771 invoked from network); 22 Nov 2023 21:24:50 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Nov 2023 21:24:50 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 75925180043
	for <internals@lists.php.net>; Wed, 22 Nov 2023 13:24:53 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
	SPF_PASS autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <landers.robert@gmail.com>
Received: from mail-oo1-f50.google.com (mail-oo1-f50.google.com [209.85.161.50])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 22 Nov 2023 13:24:53 -0800 (PST)
Received: by mail-oo1-f50.google.com with SMTP id 006d021491bc7-586ae6edf77so132206eaf.1
        for <internals@lists.php.net>; Wed, 22 Nov 2023 13:24:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1700688288; x=1701293088; darn=lists.php.net;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=5uH5gv77L12/MUm8vrfFabf5zi3tfVhOZaDqgmY38Eg=;
        b=BoQ/pG3oXzpsn9lv5iU43t8f6Z7GR5Nx2NcuzbTUlmL8dbakKNegS6LNv0Cj45QHeB
         QaQHR312bc8FXF3g7ph0C5jzwNSr1BhBPv+UFJnD1xfnoUT+Iya6YhMm3RP+g/ApdjdU
         RLYpEkh/yNMRdFFb177DnAYOmA86YSr4et+B03m078RKCArgCSrt1aLLq4O8fHXo63xk
         kurUvENQsylFlfKsYkOxlgKanfAWbZu3qVGcSn4SnyaG4HayVNuuFY5oL33HCHjQcxVG
         Hk9I8oXCmNnYvuL8TJEi93OeFo1F5UxC0d0DQerN60Ydn3DVH6pQb0I6nnbhh2K12lBc
         UnuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1700688288; x=1701293088;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=5uH5gv77L12/MUm8vrfFabf5zi3tfVhOZaDqgmY38Eg=;
        b=YEEP7YBgi61LvEI0mr+ns8X/BDhcV+bXLipEIRCWFaKU1O1uawDWcXxq0s/78kMGLA
         8PsQmXw8vW+GSh1q9sLqh1YagEvStNjJ6y4h+g72sQ8DkBp0iT/qok9Tn6YU2RFtdbXk
         asgYGeQTD2NqLdFhnDJhE9oyqY+XJMdRDZcIfTBCopQAqCmhrH//SmSmo9IelFSG+gUD
         OeBeD/46R3VFE7gpM/7Gqv31DnZGtcmuv9xsdnbGPPRCpDPvj1UB6Nr5nM7TZlS/1JQU
         AqNRGSIP9avuMxkgRXzzhv6u5o28YmsNcvWjcgBqSg7iZVtyuZzedi1Rc9ZeH00WhJgf
         FAcg==
X-Gm-Message-State: AOJu0YzaykA528OW2vHKQuCVZyiXHYxh6qIT1i/gZj7HGqkdwRqtKez+
	DDEEZl0Its0mA5m7rzRCFDDD0gh4ONiBATv9y8mXaBx3dYHQ+g==
X-Google-Smtp-Source: AGHT+IGS/ncapWj+pJGIURB+izKPCh+NiGXl4jg1n7TAqY2ONaJGigT4C5WeE9Y7dYcQtSjH5L28HlWXYtBnP2CM0qU=
X-Received: by 2002:a05:6820:a01:b0:589:df75:2d7b with SMTP id
 ch1-20020a0568200a0100b00589df752d7bmr4043006oob.2.1700688288228; Wed, 22 Nov
 2023 13:24:48 -0800 (PST)
MIME-Version: 1.0
References: <CADK1yX+2DWPyRBvGh2bJdn+3ZfdgN0-kX5NaDuTfvMhioExF+A@mail.gmail.com>
In-Reply-To: <CADK1yX+2DWPyRBvGh2bJdn+3ZfdgN0-kX5NaDuTfvMhioExF+A@mail.gmail.com>
Date: Wed, 22 Nov 2023 22:24:36 +0100
Message-ID: <CAPzBOBNu2RgbhByDv4P5sq=5zE6hk=fHxNHt4s0cZCJgZSiJyw@mail.gmail.com>
To: Deleu <deleugyn@gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Ability to session_decode() in a stateless manner?
From: landers.robert@gmail.com (Robert Landers)

On Wed, Nov 22, 2023 at 10:06=E2=80=AFPM Deleu <deleugyn@gmail.com> wrote:
>
> Hi!
>
> Earlier today I was working on a small tool to invalidate PHP Sessions in=
 a
> legacy system. I quickly found out about the `session_decode()` function,
> but unfortunately this function requires an active session and it is
> completely stateful, which means when I try to decode a specific session
> data, I end up overriding the existing session.
>
> I also tried combining `ob_start()` with `session_id()`, `session_start()=
`,
> `session_destroy()` and `ob_end_clean()`, but this would still cause some
> weird behaviors by sending two PHP Cookies through the Response Headers.
>
> In an ideal world, I would override `session.serialize_handler` and be do=
ne
> with it, but that would require invalidating every existing session and
> some non-trivial changes in the 20 year old codebase.
>
> To my original question, is there any exposed API that would give userlan=
d
> access to the session deserializer algorithm in a stateless manner?
> Something like `session_deserialize(string $data): array;`, preferably in=
 a
> way that
> 1) doesn't require or doesn't conflict with any existing session and
> 2) returns the session array without any side effects?
>
> If not, would this be something that requires an RFC? Are there any
> controversial thoughts around it?
>
> Thanks!
>
> --
> Marco Deleu

Hey Marco,

I vaguely remember dealing with something like this about 10 years
ago-ish. If I remember correctly,

1. copy the _SESSION var to a temp var
2. clear the _session var
3. decode the session
4. copy the _session var to an output array
5. clear the _session var
6. restore the original _session var

Or something like that. I doubt that is immensely helpful, but maybe it is.

Robert Landers
Software Engineer
Utrecht NL