Hi Patrick,
On Wed, Oct 23, 2013 at 4:35 PM, Patrick Schaaf <[email protected]> wrote:
> While true for us, that is a separate issue. The parallel in-flight
> requests meeting an invalidated session, will happen as well with fully
> locked sessions - for example they will wait on the lock for the old
> session ID while the regenerating script is still before the regeneration
> point. When the lock is lifted (with regenerate(true)) they will then see
> an empty session, potentially affecting their operation due to missing
> context.
>
> Regarding non-full session locking, going that way is a conscious decision
> for us. We find that most of the time the session data we use is readonly,
> i.e. a once set up set of contextual information is used but not modified
> by e.g. additional ajax requests. Full locking in these cases, coupled with
> the occasional longer running script, results in full serialization of
> request processing, which translates into much increased total latency for
> the end user.
>
> Thus, our general approach is to shortly open the session, capturing
> $_SESSION to class static storage, and closing the session again. Setter
> methods of our helper class then maintain a dirty flag, and at the end of
> the script run (or explicitly called), a "flush" method examines that dirty
> flag, and only when dirty, it opens the session again and replaces all
> session variables with the full set of variables modified by that script
> (so no modifications of several parallel scripts are mixed together -
> simple last-one-wins, which makes reasoning about correctness somewhat
> easier).
>
I can make deletion of old session data at the end of request (i.e. delete
old session data at RSHUTDOWN) by keeping deleted session id in a hash.
Hash or any other storage is required since users can call
session_commit()/session_write_close() and call session_start() again, then
call session_regenerated_id()/session_destory(). Deleting session data at
RSHUTDOWN would leave time read old session data for multiple requests at
the same time.
session_start() - locks session data
session_regenerate_id() - release lock for old session data and stores id
to a hash to delay deletion.
RSHUTDOWN - check hash and if there is session data to be deleted, delete
them.
It may be good idea to have short wait time (configurable, 100
topms or so by default) and/or get lock for the deletion so that give
better chance to have non-empty session data.
Simple applications don't have to care much but complex apps may have race.
I'll try to see if this idea works well or not.
Regards,
--
Yasuo Ohgaki
[email protected]