Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:71306 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 20829 invoked from network); 20 Jan 2014 08:23:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Jan 2014 08:23:37 -0000 Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.173 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.173 mail-lb0-f173.google.com Received: from [209.85.217.173] ([209.85.217.173:55241] helo=mail-lb0-f173.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 35/B3-02192-70DDCD25 for ; Mon, 20 Jan 2014 03:23:36 -0500 Received: by mail-lb0-f173.google.com with SMTP id y6so4679428lbh.32 for ; Mon, 20 Jan 2014 00:23:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=8Hh0k2ZQgCXnOhQ/F69J+s/FMRsCvGW9ba+z0e1F8mk=; b=0JdtzNf0SntrDWM7Qye7cM4SCLlEnpwFyeAHXAO0QgGY3G5VJvs1zPSc8dXpYQ6+xy i7Omc9X6IdoGKpXs55vqS7WSxsmqoOfCm7M8Zcco+ezo6potuuz74xr0lBuxygcEG/Kf Q9DjcdVVEzPjFQI/RDU3fn+KeCNkwgK6XkO7y0Q9zBrt467KYeoKsFPQPI0JoJX13O9Z jq3dJzMBXuWjq2MzldUk3kQhUTMjkoMeiES+Pxg1KBxEY/uQUSrGT/sjDo1XU1etrW/e D4dVm5X3vLAMTFBAKFrNnSZXmCAD3qvBLi1mONWzOMy9uJi7duAU2vQe3Y6AGtDQVnaf D1ug== X-Received: by 10.152.116.97 with SMTP id jv1mr8744047lab.20.1390206212711; Mon, 20 Jan 2014 00:23:32 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.6.68 with HTTP; Mon, 20 Jan 2014 00:22:52 -0800 (PST) In-Reply-To: <52DCD1C5.8080109@sugarcrm.com> References: <52DC905F.2080705@sugarcrm.com> <52DCAE75.8070401@sugarcrm.com> <52DCD1C5.8080109@sugarcrm.com> Date: Mon, 20 Jan 2014 17:22:52 +0900 X-Google-Sender-Auth: StG4kpdJ0vRTLMKWYwhPoVOnjrE Message-ID: To: Stas Malyshev Cc: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11c34c80792a0404f0629b7a Subject: Re: [PHP-DEV] [VOTE] Introduce session.lock, session.lazy_write and session.lazy_destory From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11c34c80792a0404f0629b7a Content-Type: text/plain; charset=UTF-8 Hi Stas On Mon, Jan 20, 2014 at 4:35 PM, Stas Malyshev wrote: > > It allows access to old session for certain amount of time. 30 seconds > > would be enough for session.lock=off. 60 or more when session.lock=on. > > I was about to allow access to deleted session for 90 seconds. > > Configurable INI may be better. I'll make session.lazy_destroy a integer > > config. > > It is irrelevant how long it is. Even 1 microsecond is long enough - if > the app said session data should be gone, then they should be gone, not > linger around and allow access to them. If you need access to that data, > copy it into the new session. > I agree. If app delete it now, it should be delete immediately. It is possible with session.lazy_destory=0. Since server and client is not synchronized, there are edge case that app may allow to access old session for a while. It should be allowed. IMO. > > > IIRC you're one of them who are preferred to have separate > > implementation(?) > > I prefer not to have implementation for 2 out of 3 proposed "features" > at all, because I think they will produce more problems than solutions. > For the lazy-write feature, IMO it can be made global, or function (I > actually prefer both) - but I see no reason to create a duplicate > driver, if you don't want it turned on, turn off the option. I'm not > sure what would be the reason to clone the driver. Do you have a > reference for where it was asked so I could re-read it and recall what > were the reasons for it? My memory may be failing me :) > > No, they don't have to. They can ignore new features or implement them > > all or part of them. > > This would be a bit confusing - you set an option, but some drivers > would implement it, some would ignore it, so you never know what > actually happens. > That's the reason why I would like to add new API to declare save handler capability. If I know capability, I may assume what it does. > > Shooting their own foot is possible, but let advanced users to enjoy > > extreme performance! > > I don't think performance at he expense of reliability, data consistency > and security should be our goal. Like I said, we could also make an > option to ignore random number of file writes and claim it is a > performance feature, but it would be useless, since there is no case > where one would recommend to use it. I see no case where I would > recommend anybody to use unlocked sessions - so why introduce it? In previous mail, it is described good use case. Without locking, scripts are executed concurrently. When session.lock=off and session.lazy_write=on, scripts does not have to wait session read() and only updated session is written back to storage. For example, if session only store authentication information, it works perfectly and there is no risk of authenticated(logged out session) remains or un-authenticated session became an authenticated session. We also should consider that memcache/memched have unlock option already. Like databases allow query without transaction or transaction with less consistency, session module may allow options that give more performance at the cost of consistency. It's an option for developers. IMHO. (Current session is the same as "serializable transaction isolation level" only database which is very slow and restrict concurrency.) I'll write clearly that "end users" should never enable dangerous options unless developer explicitly allows it. I'll also write that developers are better to detect dangerous options if app does not support them. Is it enough, isn't it? Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11c34c80792a0404f0629b7a--