[imp] VERY obscure bug just waiting to bite someone....
James Noyes
jnoyes-horde@retrogeeks.com
Thu, 21 Feb 2002 02:19:02 -1000
On Thu, 21 Feb 2002 11:53:27 -0000
"Henry Blackman" <h.blackman@chester.ac.uk> wrote:
> You make a good arguement, but I've been using a MySQL session based
> architecture for some time I have had no problems with it. However I
> wonder if you have a slight bug in your session code?
>
I'd be VERY interested in seeing your Session Manger code to compare it
against mine. I'll also point out that I am using IMP authentication for
all of Horde. That may be important, since the imp/login.php?reason=logout
is what my site calls for the "log out" link and it's IMP's login.php, not
Horde's that has the issue.
> For example, I constantly see errors in people's USER DEFINED code, in
> their session read function whereby if there is on session data, their
> function returns "false". That's wrong, it must return '' (two single
> quotes - ie. nothing). I've seen this time and time again, so why don't
> you check your code for that bug - it can't hurt.
>
This common mistake is discussed in MANY places, and the MySQL session
management code I am using does NOT do this. The problem I discovered
actually *occurs* when a zero-length string is correctly returned.
Returning the FALSE constant just causes apache to seg-fault, and that is
not what I was experiencing.
> Your statement where the USER is responsible for session clear-up. You
> are wrong. That's what garbage collection does. You should have a
> function that takes care of that, and your php.ini should specify what
> percentage of times it should be called during a session operation
> (defaulting to 1 percent).
>
Perhaps I didn't clarify my use of the word "your". The built-in
file-based PHP sessioning's garbage collection does not purge old files
from /tmp (or wherever it stores them). Therefore it IS in fact "your"
responsibility ("you" in this case being the person responsible for
operation of the web server or the site that uses the sessioning) to clean
up session files that haven't been accessed in some length of time. As
for the garbage collection function inside a user-defined session manager,
well, if "you" wrote the session manager code, then as the author doesn't
that make it "your" responsibility? Semantics, I know. I never said the
USER (most certainly not the end-user accessing the web site) was
responsible for this cleanup.
James