Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:81733
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 52136 invoked from network); 3 Feb 2015 19:51:06 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2015 19:51:06 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.177 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.216.177 mail-qc0-f177.google.com  
Received: from [209.85.216.177] ([209.85.216.177:55553] helo=mail-qc0-f177.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 11/B6-20608-7A621D45 for <internals@lists.php.net>; Tue, 03 Feb 2015 14:51:04 -0500
Received: by mail-qc0-f177.google.com with SMTP id p6so37190230qcv.8
        for <internals@lists.php.net>; Tue, 03 Feb 2015 11:51:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=y5h+0wEZBhnpx++u1n7p7/YGKGTp5nbF6mjxN1cHx6Y=;
        b=yf1gD68iwr533HyrXTAvevlSH+F1dm/Aq8z7C0pJxFr1CnZlharWJenmOIU83hG7HX
         Nuui0Vz5tubRANjQw35L851IXFzaZRNIT5y9lDTCpXtucFgMygUia1axBKi++VBK0Kgv
         wyT/C45c00DUrynxa53wuIJkfDEIrZFhMH7QNd+LAr3wxa9H78LkQXE3CG3l15k1C4z6
         yxO2XV8pdS4cRLNqd4vVP584+ylrWfjwsUOCw9k6zAqZ5UvC0sNBGPOubokhuxqkmPkw
         DZN41bK5LdguyNakr0RGF89JH92sIKQZgk8P13nW4mPhNUSKDbtbGgWE+ylG5SdG7/S3
         MBog==
X-Received: by 10.140.109.164 with SMTP id l33mr49414623qgf.91.1422993060240;
 Tue, 03 Feb 2015 11:51:00 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.28.72 with HTTP; Tue, 3 Feb 2015 11:50:20 -0800 (PST)
In-Reply-To: <54D0F544.3040504@lerdorf.com>
References: <54D0F544.3040504@lerdorf.com>
Date: Wed, 4 Feb 2015 04:50:20 +0900
X-Google-Sender-Auth: 2BCA5muV1B8ISpW_4TGkLjtBi0Y
Message-ID: <CAGa2bXbsw4DVfs+ttbOEUpg-mUqV87Mn+LnP+YDBmaQ9SdSb_A@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: Yasuo Ohgaki <yohgaki@php.net>, "internals >> PHP internals" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113a304edfa4bb050e346374
Subject: Re: PS(invalid_session_id) ?
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a113a304edfa4bb050e346374
Content-Type: text/plain; charset=UTF-8

Hi Rasmus,

On Wed, Feb 4, 2015 at 1:20 AM, Rasmus Lerdorf <rasmus@lerdorf.com> wrote:

> Hey Yasuo, I noticed that you removed the invalid_session_id boolean
> from php_session.h. For extensions that do:
>
>   PS(invalid_session_id) = 1;
>
> what is the new way for them?
>

At first, PS(invalid_session_id) was never worked as it supposed. It wasn't
used to
generate new session ID when session ID is invalid...

To notify invalid session ID to session module, please use
PS_FUNC_VALIDATE_SID().

If it returns FAILURE, session module creates new session ID by using
PS_FUNC_CREATE_SID().
If PS_FUNC_CREATE_SID() is not implemented, session module uses the default
php_session_create_id().

For save handlers, there are old save handler definitions PS_FUNCS,
PS_FUNCS_SID. New
save handlers are supposed to use PS_FUNCS_UPDATE_TIMESTAMP. It requires to
implement
PS_CREATE_SID, if save handler does not need custom session ID, the default
php_session_create_id()
may simply be called. However, session ID collision is better to be checked
like "files" handler. With
collision check in PS_CREATE_SID_FUNC(), collision never happens.

 /*
 * Create session ID.
 * PARAMETERS: PS_CREATE_SID_ARGS in php_session.h
 * RETURN VALUE: Valid session ID(zend_string *) or NULL for FAILURE.
 *
 * PS_CREATE_SID_FUNC() must check collision. i.e. Check session data if
 * new sid exists already.
 * *mod_data is guaranteed to have non-NULL value.
 * NOTE: Default php_session_create_id() does not check collision. If
 * NULL is returned, session module create new ID by using
php_session_create_id().
 * If php_session_create_id() fails due to invalid configuration, it raises
E_ERROR.
 * NULL return value checks from php_session_create_id() is not required
generally.
 */
PS_CREATE_SID_FUNC(files)
{
    zend_string *sid;
    int maxfail = 3;
    PS_FILES_DATA;

    do {
        sid = php_session_create_id((void**)&data);
        if (!sid) {
            if (--maxfail < 0) {
                return NULL;
            } else {
                continue;
            }
        }
        /* Check collision */
        /* FIXME: mod_data(data) should not be NULL (User handler could be
NULL) */
        if (data && ps_files_key_exists(data, sid->val) == SUCCESS) {
            if (sid) {
                zend_string_release(sid);
                sid = NULL;
            }
            if (--maxfail < 0) {
                return NULL;
            }
        }
    } while(!sid);

    return sid;
}

Summary for new save handler
 - Use PS_FUNCS_UPDATE_TIMESTAMP/PS_MOD_UPDATE_TIMESTAMP
 - PS_VALIDATE_SID() returns FAILURE for uninitialized session ID, anything
   save handler decides as invalid session ID. Otherwise, return SUCCESS.
 - PS_CREATE_SID() should check session ID collision. Return NULL for
failure.
 - PS_UPDATE_TIMSTAMP_FUNC() must update session data timestamp. e.g.
   touch file for "files", memcache updates timestamp by read access so
return
   SUCCESS simply.

I added comments to ext/session/mod_files.c for save handler developers.
Please refer to it also.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a113a304edfa4bb050e346374--