Joomla! Issue Tracker | Joomla! CMS #6608 - Remove code that should be handled via session handlers

Closed
8 Jan 2016
Medium
Build: staging
# 6608
Diff
mbabker:sessionGC

Success

Success The Travis CI build passed Details

User tests: Successful: Unsuccessful:

mbabker
29 Mar 2015

In our application class exists code to clean up dead session data from the database. This same code exists in the database session handler and is registered to PHP's session management API. This PR removes the lines from the application class and leaves garbage collection of session data to the session API.

Testing Instructions

So this one's a little more difficult to test. You'll probably want to manipulate your session configs (see http://php.net/manual/en/function.session-set-save-handler.php and specifically the settings around the gc config). The gc callable is called on a randomized basis, so manipulating the settings will make it more controlled. With the patch applied, expired session data should still be removed from the database; however instead of the application doing it on pretty much every request on an even numbered second, it'll be left to PHP to decide when it's called.

a4509bf 29 Mar 2015

Remove code that should be handled via session handlers

mbabker - open - 29 Mar 2015

joomla-cms-bot - change - 29 Mar 2015

Labels

Added: ?

zero-24 - change - 29 Mar 2015

Category

⇒

Libraries

dgt41 - comment - 30 Mar 2015

@mbabker is there a reason why line 117 is not

if (is_null($this->config->get('session')) && $this->config->get('session') !== false)

and line 123 again not

if (is_null($this->config->get('session_name')) && $this->config->get('session') !== false)

This way session is disabled if in configuration there is a public $session = false;
Am I missing something here?

mbabker - comment - 30 Mar 2015

No idea

On Sunday, March 29, 2015, Dimitris Grammatiko notifications@github.com
wrote:

@mbabker https://github.com/mbabker is there a reason why line 117 is
not

if (is_null($this->config->get('session')) && $this->config->get('session') !== false)

and line 123 again not

if (is_null($this->config->get('session_name')) && $this->config->get('session') !== false)

This way session is disabled if in configuration there is a public
$session = false;
Am I missing something here?

—
Reply to this email directly or view it on GitHub
#6608 (comment).

wilsonge - comment - 30 Mar 2015

Because the active user object is stored in the session (and get initialised by JFactory::getUser) I'd imagine disabling the session is effectively impossible anyhow

mbabker - comment - 30 Mar 2015

Storing the active user in the session isn't necessarily bad, but having JUser coupled to JSession (via JFactory) is a huge mistake.

dgt41 - comment - 30 Mar 2015

I guess decoupling them will be huge b/c break?

wilsonge - comment - 31 Mar 2015

I'd imagine so. I'm sure someone somewhere tries to refresh the active user details by directly editing the session. Allow it to work around that then their code breaks on those sites...

mbabker - comment - 16 Jun 2015

Closing for lack of interest.

mbabker - change - 16 Jun 2015

Status	Pending	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2015-06-16 13:32:22
Closed_By		⇒	mbabker

mbabker - close - 16 Jun 2015

dgt41 - comment - 16 Jun 2015

@mbabker this was a good improvement and should be considered for Joomla
If you reopen it I will spend some time testing it

mbabker - change - 16 Jun 2015

Status	Closed	⇒	New
Closed_Date	2015-06-16 13:32:22	⇒
Closed_By	mbabker	⇒

mbabker - reopen - 16 Jun 2015

dgt41 - comment - 16 Jun 2015

@mbabker some more infos on testing will be really appreciated.
I changed my php.ini to

[Session]
session.save_handler = files
session.save_path = /Applications/MAMP/tmp/php
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php

session.gc_probability = 1
session.gc_divisor     = 200
session.gc_maxlifetime = 1440

session.bug_compat_42 = 1
session.bug_compat_warn = 1
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

but cannot figure out how to confirm that the session is not updated in db. PHPMyAmin?

mbabker - comment - 16 Jun 2015

IIRC I had session.gc_probability to 1 and session.gc_divisor at like 4 or something (so it would run on 1 in 4 page requests). You could probably log something in JSessionStorageDatabase to make note of when the method gets triggered. When it does, it should execute the same query that's removed from the application class here.

mbabker - change - 22 Aug 2015

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2015-08-22 15:24:55
Closed_By		⇒	mbabker

mbabker - close - 22 Aug 2015

wilsonge - change - 14 Dec 2015

Status	Closed	⇒	New
Closed_Date	2015-08-22 15:24:54	⇒
Closed_By	mbabker	⇒

wilsonge - reopen - 14 Dec 2015

mbabker - comment - 14 Dec 2015

@wilsonge Don't merge this. Come to find out this is needed to clean the session table if you're using another session handler since JApplicationCms is inserting records into the session table no matter what.

wilsonge - comment - 14 Dec 2015

the checkSession function?

mbabker - comment - 15 Dec 2015

Right. This garbage collect method is basically ensuring that expired sessions, regardless of handler, are purged out of the database because of that code in checkSession.

mbabker - comment - 8 Jan 2016

Superseded by #8862

mbabker - change - 8 Jan 2016

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2016-01-08 17:00:19
Closed_By		⇒	mbabker

mbabker - close - 8 Jan 2016

mbabker - head_ref_deleted - 8 Jan 2016

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#6608] - Remove code that should be handled via session handlers

Testing Instructions

Add a Comment