Proposed changes to $_SESSION handling (looking for feedback)
Ed Finkler
session handling when using Inspekt. in the 0.3 release, Inspekt
treats $_SESSION like all the other superglobals, wrapping them
inside an Inspekt_Cage object and unsetting the existing array. By
doing so, we're breaking session functionality *entirely*, as PHP
seems to have some Magic Stuff going on behind the scenes. I looked
into re-creating the session (pulling the session_name(), setting the
ID, etc) and re-populating the $_SESSION array, but it doesn't appear
to do what is necessary to pass the session data properly to the next
page load.
So at this point, I am unaware of a way to destroy $_SESSION and
maintain the session. The purpose of destroying $_SESSION is to
prevent direct access to the data. It might be possible to privatize
this data somehow in PHP5 (not sure at this point), but I don't see
any way (short of writing a whole session system in userspace) to
block access to $_SESSION.
So.
My intention is to release 0.3.1 with the change that
Inspekt::makeSessionCage() does not destroy $_SESSION. I have a rough
version ready to check into SVN, but I'd like to hold off until I get
some feedback.
My intention beyond that is to improve session handling by creating
"set**()" methods similar to the "get**()" methods that will make it
easier to write escaped data into the session. I am not 100% sure this
is necessary, as session data at first blush wouldn't be taintable by
the user (unlike the session_id and session_name). Still, I think at
least keeping getting and setting values in the session working
through the same interface would be easier to deal with for the
programmer.
Thoughts?
--
--
Ed Finkler
http://funkatron.com
AIM: funka7ron
ICQ: 3922133
Skype: funka7ron
Ed Finkler
out the basics of reconstructing the session. More info forthcoming.