Re: [Phplib-users] php4 session fix, and some thoughts

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thus spake Joe Stewart on Tue, Jan 21, 2003 at 06:52:51PM CST
> I can't take credit for the code ( Max and maybe others deserve the 
> thanks).  I just moved the cvs around some.  Sorry I don't have more time 
> right now to help much with this.

I think it's under control.  The patches I made work fine!  

> To make sure I understand - The auto_init file is included with every 
> pageview when using the session4.inc class.  Using the session.inc it is 
> only included on session creation.  This is because the value of sess->in 
> is lost so the conditional in page4.inc fails.

That's right.  The $in instance variable isn't saved off.  Because it's an
instance variable, apparently php doesn't allow one to declare it global,
and if it's not global, it can't be saved in the php4 session data.  The way
around this is to create a global object and use page_open and page_close to
move stuff between the $sess instance variable(s) and the global object.

> I filed a bug report:
> 
> [ 672166 ] auto_init file included every page_view with session4
> http://sourceforge.net/tracker/index.php?func=detail&aid=672166&group_id=31885&atid=403611

OK, thanks!  I'll take a look at it.

> > The underlying problem is that phplib session management no longer
> > instantiates a session class with all the public and private instance
> > variables needed by the API.  While the $sess object stored in $_SESSION can
> > invoke class methods from the underlying class definition, there's no ready
> > way to store instance variables.  Joe and others have fixed some of these,
> > of course.
> >
> 
> others (Giancarlo for one) fixed it in auth.

OK.  Your stamp was on the RCS IDs, probably from doing CVS maintenance.

> I like the idea of preserving sess->in instead.  page_close is already 
> required again if you use register_globals off.

You're right about this, of course.  It's good that page_close isn't being
dropped since it basically serves as a catchall page destructor funciton. 
My fix was kind of quick and dirty, and it did the job, but $sess->in is
part of the published API and ought to be supported.  The more I thought
about it, the more I realized that this is the right approach.  

Shall I fix this and submit a patch?  Will it reach people who may want or
need it?

> thanks for tracking this down.

I did it for purely practical reasons :-)  I have to make this stuff work.

-- 
Lindsay Haisley       | "Everything works    |     PGP public key
FMP Computer Services |       if you let it" |      available at
512-259-1190          |    (The Roadie)      | <http://www.fmp.com/pubkeys>
http://www.fmp.com    |                      |