[pmwiki-devel] Sessions questions...

Patrick R. Michaud pmichaud at pobox.com
Fri May 11 10:56:39 CDT 2007

On Fri, May 11, 2007 at 11:33:31AM -0400, The Editor wrote:
> I'm doing some interesting work with sessions but have a couple
> general questions.
> To set a session unique to each field, you would use
> session_id($id);
> then you would call
> session_start()
> then you would read or write values as needed
> Then to close you would use
> session_write_close()
> is that correct?


> Is it best to start the session just once, at the beginning and close
> at the end, or start and close several times in a long script?  And if
> the first, will the same session_id be used each time?

PHP locks session files, so that only one PHP instance may have
the session file open at any given time.  Normally this isn't an
issue, but if a visitor is using multiple tabs to access the
same site (i.e., in the same session), then keeping the session
open during a long script will slow things down significantly.
(This is why PmWiki attempts to close the session whenever it
safely can.)

However, it's also important to be very careful about using
session_write_close().  If a function you write does:

    function myfunc() {
       ##  some stuff with $_SESSION

and a caller to myfunc is doing something like:

    function someotherfunc() {
       ##  get some values from $_SESSION
       ##  store some values back into $_SESSION

then the "store some more values back into $_SESSION" performed 
by someotherfunc() won't be saved in the session, because myfunc()
closed the session.  And it won't be obvious to the person writing
or looking at the someotherfunc() call that the session was
being closed.

For this reason, PmWiki always uses:

    $sid = session_id();
    if (!$sid) session_write_close();

which says to close the session ONLY if we know that we're
the function that opened it.  If the session was already open
prior to the session start, or if we can't tell if the session
was open, then we don't close it (because some other calling
function might be relying on the session being open).

It's a pain, but PHP doesn't provide sufficient information to
be able to reliably determine if a session is currently open.

> Does the session id have to be unique for each user?  And if so how do
> you do that?

Yes, the session id needs to be unique for each user.  Using uniqid()
might help.

> Is there a way to renew a session's "timer" so if they are on your
> site a long time, it gets renewed each time they load a page?

I think this happens by default whenever the session is opened
and closed.


More information about the pmwiki-devel mailing list