Re: [RFC] Revert/extend/postpone original RFC about read_only, lazy_write sessions

From:	Yasuo Ohgaki	Date:	Sun, 16 Mar 2014 05:32:54 +0000
Subject:	Re: [RFC] Revert/extend/postpone original RFC about read_only, lazy_write sessions
References:	1	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

Hi Andrey,

I've finished modifying patch, so I read your RFC.

On Sun, Mar 16, 2014 at 3:24 AM, Andrey Andreev <[email protected]> wrote:

> I'm announcing the following RFC for discussion, with the hope that it
> can get through before the PHP 5.6 release:
> https://wiki.php.net/rfc/session-read_only-lazy_write
>
> As noted in it, I don't feel like
> https://wiki.php.net/rfc/session-lock-ini was
> handled properly. Lack
> of attention to it alone is demonstrated by the fact that a total of
> only 10 people have voted. I hope that this follow-up receives more
> attention, so that we can avoid a potential mess.
>

// $_SESSION['logged_in'] has been set in a previous request
Request 1: session_start(['read_only' => TRUE]);
Request 2: session_start(); unset($_SESSION['logged_in']);
session_write_close();
Request 1: if ($_SESSION['logged_in']) { /* logic */ } // evaluates to TRUE


Your example ends up with the same result regardless of "read_only".
If Request 1 locks session data, it finishes execution as logged_in==TRUE.

There may be race condition like this. However, it does not matter much if
legitimate users' requests are processed as authenticated or not under such
race condition. It's _legitimate_ users' request anyway.

If apps must not allow such race condition, any of
session_write_close/commit(), read_only
should not be used. (Request serialization is not perfect still, though.
Please read
session_regenerate_id() thread for details.)


2. The RFC describes that with 'lazy_write' set to TRUE, if no change was
made to session data, then PS_UPDATE_FUNC() will be called instead of
PS_WRITE_FUNC(). However, it only talks about internal implementation and
fails to address (or at least mention) that a custom session handler should
now also have an update() method.


This is not correct.
User defined save handler does not have to implement update() method.
Session module is designed to allow omitting new method/function just
like undocumented create_sid() function/method. There are test cases
for it.  (BTW, I noticed that I missed to compare dummy function address.
It's fixed in my repository already.)

"lazy_write" could be INI option and default to false, but it makes little
sense
because it is compatible with current behavior. I cannot think of good
reason to
disable it, but it may be disabled if you need.

I don't see good reason to postpone this change still.

Regards,

--
Yasuo Ohgaki
[email protected]


   

Thread (34 messages)

• Andrey AndreevSat, 15 Mar 2014 18:24:11 +0000
  • Yasuo OhgakiSun, 16 Mar 2014 01:12:02 +0000
    • Andrey AndreevSun, 16 Mar 2014 01:27:24 +0000
    • Stas MalyshevSun, 16 Mar 2014 01:28:32 +0000
      • Yasuo OhgakiSun, 16 Mar 2014 01:44:17 +0000
      • Andrey AndreevSun, 16 Mar 2014 16:34:31 +0000
        • Stas MalyshevSun, 16 Mar 2014 20:03:44 +0000
          • Andrey AndreevSun, 16 Mar 2014 23:07:02 +0000
            • Yasuo OhgakiMon, 17 Mar 2014 00:09:19 +0000
              • Andrey AndreevMon, 17 Mar 2014 08:52:51 +0000
                • Yasuo OhgakiMon, 17 Mar 2014 09:02:06 +0000
                  • Andrey AndreevMon, 17 Mar 2014 09:14:41 +0000
                    • Yasuo OhgakiMon, 17 Mar 2014 09:31:27 +0000
                      • Andrey AndreevMon, 17 Mar 2014 09:57:54 +0000
                        • Yasuo OhgakiMon, 17 Mar 2014 10:35:49 +0000
                          • Andrey AndreevMon, 17 Mar 2014 10:47:45 +0000
                            • Yasuo OhgakiTue, 18 Mar 2014 00:50:57 +0000
                              • Stas MalyshevTue, 18 Mar 2014 05:45:18 +0000
                                • Yasuo OhgakiTue, 18 Mar 2014 07:43:56 +0000
                                  • Andrey AndreevTue, 18 Mar 2014 10:58:44 +0000
                                    • Ferenc KovacsTue, 18 Mar 2014 18:45:41 +0000
                                    • Yasuo OhgakiTue, 18 Mar 2014 23:04:32 +0000
                                      • Andrey AndreevTue, 18 Mar 2014 23:27:33 +0000
                                        • Yasuo OhgakiTue, 18 Mar 2014 23:50:40 +0000
                                          • Andrey AndreevWed, 19 Mar 2014 00:17:24 +0000
                                            • Yasuo OhgakiWed, 19 Mar 2014 01:38:16 +0000
                                              • Andrey AndreevThu, 20 Mar 2014 11:19:15 +0000
                                                • John LeSueurThu, 20 Mar 2014 18:35:38 +0000
                                                  • Andrey AndreevFri, 21 Mar 2014 13:46:07 +0000
    • Yasuo OhgakiSun, 16 Mar 2014 01:39:42 +0000
  • Yasuo OhgakiSun, 16 Mar 2014 05:32:54 +0000
    • Andrey AndreevSun, 16 Mar 2014 16:47:57 +0000
  • Yasuo OhgakiSun, 16 Mar 2014 07:57:02 +0000
    • Stas MalyshevSun, 16 Mar 2014 19:59:39 +0000