[Phplib-users] php4 session fix, and some thoughts

[Lindsay H. <fmo...@fm...>]

My shopping carts were broken using phplib with php4 session management, so
I found the problem and fixed it.  Patches against phplib-7.4-pre2 are
attached.

Basically, the instance variable $sess->in wasn't being saved across
sessions, and Joe Stewart noted as much in his code comments.  setup.inc was
being run on each page access, so any stored information was getting wiped
out since $cart->start(), in my setup.inc, ran each time a page was loaded.

The underlying problem is that phplib session management no longer
instantiates a session class with all the public and private instance
variables needed by the API.  While the $sess object stored in $_SESSION can
invoke class methods from the underlying class definition, there's no ready
way to store instance variables.  Joe and others have fixed some of these,
of course.

To get around this, I defined a class, CurrentSession, and an instance
object of _this_ class is stored in the $_SESSION array.  An instance of
CurrentSession can hold whatever instance variables the session requires and
methods in the $sess object can be used to retrieve them.  The
CurrentSession instance object is named "sob_".session_id(), which may be
overkill, but will definitely insure uniqueness.  Rather than using the
$sess->in instance variable, I defined a couple of methods,
$sess->get_auto_init_done() and $sess->set_auto_init_done() which do much
the same thing and require only a minor modification to page4.inc (for which
a patch is also attached).  I probably shouldn't have done this, since
saving and restoring $sess->in could be done with a few lines of additional
coding and this would preserve the API.  This would require a working
page_close() though, as noted below.

There's a broader consideration here, and although I'm not familiar with all
the details of the session class, I'll put forth a few ideas which seem to
be extensible from the little work I've done here.

IMHO, php4 session management shouldn't be thought of as a replacement in
any way for phplib session management.  In essence, php4 session management
can be considered to be just another database engine with some added
functionality such as session ID management, serialization and garbage
cleanup.  The object should be to preserve the published phplib session
object API as much as possible to avoid breaking existing web applications
which depend on phplib.  Several things fall out from this:

*  The CurrentSession class could be expanded to include all necessary
   variables, both public and private previously exposed in the $sess class
   API.  It might be good to put these into an array so that they could be
   extracted into the current session object with while(list(...) =
   each(...)) syntax.
   
*  The $sess->start() method should declare an object of CurrentSession,
   make it global, and register it.  This is done in my patch.
   
*  page_open() should interate through the the variable array (or through
   all the instance variables) in the CurrentSession object and restore
   instance variables in the $sess object from this object in the $_SESSION
   array.  My patch doesn't do this, but it wouldn't be hard to do.
   
*  page_close(), rather than being depreciated, should be retained and used 
   to transfer $sess instance variables to the CurrentSession object stored
   in $_SESSION.  I've simply defined a couple of $sess instance methods to
   do this as needed for the auto_init flag, but putting the required
   functionality into page_open() and page_close() would be a more general
   solution, and ought to be done to preserve the API.  There aren't many of
   these variables, so this may be moot.  Most, if not all of the variables
   in the older session.inc are static with respect to the lifetime of a
   session.
   
*  If session instance variables should, by and large, be considered as
   const varables, the CurrentSession class may be overkill, and a couple of
   global variables should do the trick.  I first made a solution to the
   auto_init problem using a global variable rather than a global class, but
   the global class seemed to be a more general solution, and more elegant
   and scalable.
   
I hope this helps.  Joe, what do you think?  If I find some time I'll work
on this, but a bigger problem is getting phplib, php4 and apache2 to be
friendly with each other :-)

-- 
Lindsay Haisley       | "Everything works    |     PGP public key
FMP Computer Services |       if you let it" |      available at
512-259-1190          |    (The Roadie)      | <http://www.fmp.com/pubkeys>
http://www.fmp.com    |                      |