Re: Re: Revert session_serializer_name(), session_gc()

From: Andrey Andreev Date: Fri, 14 Mar 2014 10:44:09 +0000

Subject: Re: Re: Revert session_serializer_name(), session_gc()

References: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Groups: php.internals

Request: Send a blank email to [email protected] to get a copy of this message

Hi,

On Fri, Mar 14, 2014 at 12:30 PM, Patrick Schaaf <[email protected]> wrote:
>
> Am 14.03.2014 11:07 schrieb "Andrey Andreev" <[email protected]>:
>
>
>>
>> This is broken, consider the following (multiple tab/ajax/whatever
>> concurrency) scenario:
>>
>> Request1: session_start(['read_only' => TRUE]);
>> Request2: session_start(); unset($_SESSION['logged_in']);
>> session_commit();
>> Request1: still logged in
>>
>> ^ This screams "danger".
>
>
> That is _not_ broken WRT sessions themselves, because the readonly session
> of request 1 will not be permitted to change session data (it is readonly)
> and as such the situation is the same as if request 1 completed before
> request 2 started.
>
> It _is_ broken when the session lock is "misused" as a lock wrt. other,
> nonsession data / database modifications / whatever else. In that case,
> using the readonly session feature or any other kind of different-lifetime
> session lock scheme is bad for the application - don't do that then.

It is not broken functionally, indeed.
It's broken by design - if I write session_start(), options or not, I
would never expect it to immediately close the session. It's highly
misleading and this will lead to a lot of abuse.

Cheers,
Andrey.

Thread (41 messages)

Andrey AndreevTue, 11 Mar 2014 13:37:44 +0000
Yasuo OhgakiTue, 11 Mar 2014 22:37:31 +0000Re: Revert session_serializer_name(), session_gc()
Andrey AndreevTue, 11 Mar 2014 23:54:21 +0000
Yasuo OhgakiWed, 12 Mar 2014 00:19:14 +0000
Andrey AndreevWed, 12 Mar 2014 11:04:03 +0000
Yasuo OhgakiWed, 12 Mar 2014 11:30:03 +0000
Andrey AndreevWed, 12 Mar 2014 12:03:10 +0000
Yasuo OhgakiWed, 12 Mar 2014 21:12:35 +0000
Andrey AndreevWed, 12 Mar 2014 23:43:32 +0000
Yasuo OhgakiThu, 13 Mar 2014 01:40:07 +0000
Patrick SchaafThu, 13 Mar 2014 07:15:00 +0000Re: Re: Revert session_serializer_name(), session_gc()
Yasuo OhgakiThu, 13 Mar 2014 07:45:17 +0000
Pierre JoyeThu, 13 Mar 2014 09:22:01 +0000
Andrey AndreevThu, 13 Mar 2014 10:36:35 +0000
Andrey AndreevThu, 13 Mar 2014 16:56:11 +0000
Yasuo OhgakiThu, 13 Mar 2014 20:09:01 +0000
Andrey AndreevThu, 13 Mar 2014 21:01:24 +0000
Yasuo OhgakiThu, 13 Mar 2014 22:01:10 +0000
Yasuo OhgakiThu, 13 Mar 2014 22:18:48 +0000
Andrey AndreevThu, 13 Mar 2014 23:16:28 +0000
Yasuo OhgakiFri, 14 Mar 2014 01:30:15 +0000
Andrey AndreevFri, 14 Mar 2014 10:07:05 +0000
Patrick SchaafFri, 14 Mar 2014 10:30:14 +0000
Andrey AndreevFri, 14 Mar 2014 10:44:09 +0000
Yasuo OhgakiSat, 15 Mar 2014 00:20:49 +0000
Andrey AndreevSat, 15 Mar 2014 02:32:59 +0000
Yasuo OhgakiSat, 15 Mar 2014 04:15:23 +0000
Yasuo OhgakiSat, 15 Mar 2014 04:36:05 +0000
Andrey AndreevSat, 15 Mar 2014 05:10:07 +0000
Yasuo OhgakiSat, 15 Mar 2014 06:28:13 +0000
Andrey AndreevSat, 15 Mar 2014 18:33:05 +0000
Yasuo OhgakiSun, 16 Mar 2014 00:45:57 +0000
Yasuo OhgakiSun, 16 Mar 2014 00:57:51 +0000
Yasuo OhgakiFri, 14 Mar 2014 10:30:42 +0000
Yasuo OhgakiFri, 14 Mar 2014 10:38:37 +0000
Yasuo OhgakiThu, 13 Mar 2014 19:32:13 +0000
Andrey AndreevThu, 13 Mar 2014 20:29:29 +0000
Lester CaineThu, 13 Mar 2014 10:04:05 +0000
Yasuo OhgakiThu, 13 Mar 2014 01:49:00 +0000
Yasuo OhgakiThu, 13 Mar 2014 03:03:00 +0000
Julien PauliWed, 12 Mar 2014 16:00:44 +0000

« previous	php.internals (#73158)	next »

From:	Andrey Andreev	Date:	Fri, 14 Mar 2014 10:44:09 +0000
Subject:	Re: Re: Revert session_serializer_name(), session_gc()
References:	1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message