[pmwiki-users] Session variable issues

[Joachim Durchholz]

Patrick R. Michaud wrote:
> Yes; for some reason PHP complains with a warning if session_start
> is called twice.  (Personally, I wish it would just be a no-op if
> the session has already started.  And I also wish there was a way
> to know if a session has already started, but PHP doesn't seem to
> tell us that either.)

Hmm... the session handling code in PmWiki seems rather fragile to me. 
I.e. session_start() and session_write_close() are paired off in 
far-apart parts of the code, so it's easy to get confused about the 
state that PHP's session mechanism may be in.

I'd suggest keeping the PHP session state in a global variable. I.e. 
something like

$SessionActive = 0;

function OpenSession() {
# Retrieves session data and populates $_SESSION.
   if (!$SessionActive) {
     session_start();
     $SessionActive = 1;
   }
}

function CloseSession() {
# Makes changes in $_SESSION persistent.
# Further changes to $_SESSION will remain temporary,
# and the next OpenSession() call will roll $_SESSION
# back to the state it had during this CloseSession() call.
   if ($SessionActive) {
     session_write_close();
     $SessionActive = 0;
   }
}


BTW there's one really important detail:

PHP does *not* save the session data when it is redirected! At least not 
all PHP versions do that if the user comments on php.net are to be believed.

So Redirect() should do an explicit CloseSession() (or 
session_write_close() if you don't like the above scheme).

To bulletproof the thing, I'd even call CloseSession() before the "exit" 
instruction in the main thread of PmWiki - this may be paranoia, but 
there seems to be a great deal of version dependencies and confusion 
about what circumstances exactly will make PHP auto-save the session 
variables, and I think it's better to be safe than sorry with that.

Regards,
Jo