| blob | 9a681d78ffbeb9d15abe596ed831ad43eb1ace62 |
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!-- Reviewed: no -->
3 <sect1 id="zend.session.advanced_usage">
4 <title>Advanced Usage</title>
6 <para>
7 While the basic usage examples are a perfectly acceptable way to utilize Zend Framework
8 sessions, there are some best practices to consider. This section discusses the finer
9 details of session handling and illustrates more advanced usage of the
10 <classname>Zend_Session</classname> component.
11 </para>
13 <sect2 id="zend.session.advanced_usage.starting_a_session">
14 <title>Starting a Session</title>
16 <para>
17 If you want all requests to have a session facilitated by
18 <classname>Zend_Session</classname>, then start the session in the bootstrap file:
19 </para>
21 <example id="zend.session.advanced_usage.starting_a_session.example">
22 <title>Starting the Global Session</title>
24 <programlisting language="php"><![CDATA[
25 Zend_Session::start();
26 ]]></programlisting>
27 </example>
29 <para>
30 By starting the session in the bootstrap file, you avoid the possibility that your
31 session might be started after headers have been sent to the browser, which results in
32 an exception, and possibly a broken page for website viewers. Various advanced features
33 require <methodname>Zend_Session::start()</methodname> first. (More on advanced features
34 later.)
35 </para>
37 <para>
38 There are four ways to start a session, when using <classname>Zend_Session</classname>.
39 Two are wrong.
40 </para>
42 <orderedlist>
43 <listitem>
44 <para>
45 Wrong: Do not enable <acronym>PHP</acronym>'s <ulink
46 url="http://www.php.net/manual/en/ref.session.php#ini.session.auto-start">
47 <code>session.auto_start</code> setting</ulink>. If you do not have the
48 ability to disable this setting in php.ini, you are using mod_php (or
49 equivalent), and the setting is already enabled in <code>php.ini</code>, then
50 add the following to your <code>.htaccess</code> file (usually in your
51 <acronym>HTML</acronym> document root directory):
52 </para>
54 <programlisting language="httpd.conf"><![CDATA[
55 php_value session.auto_start 0
56 ]]></programlisting>
57 </listitem>
59 <listitem>
60 <para>
61 Wrong: Do not use <acronym>PHP</acronym>'s <ulink
62 url="http://www.php.net/session_start"><methodname>session_start()</methodname></ulink>
63 function directly. If you use <methodname>session_start()</methodname> directly,
64 and then start using <classname>Zend_Session_Namespace</classname>, an exception
65 will be thrown by <methodname>Zend_Session::start()</methodname> ("session has
66 already been started"). If you call <methodname>session_start()</methodname>
67 after using <classname>Zend_Session_Namespace</classname> or calling
68 <methodname>Zend_Session::start()</methodname>, an error of level
69 <constant>E_NOTICE</constant> will be generated, and the call will be ignored.
70 </para>
71 </listitem>
73 <listitem>
74 <para>
75 Correct: Use <methodname>Zend_Session::start()</methodname>. If you want all
76 requests to have and use sessions, then place this function call early and
77 unconditionally in your bootstrap code. Sessions have some overhead. If some
78 requests need sessions, but other requests will not need to use sessions, then:
79 </para>
81 <itemizedlist mark="opencircle">
82 <listitem>
83 <para>
84 Unconditionally set the <code>strict</code> option to
85 <constant>TRUE</constant> using
86 <methodname>Zend_Session::setOptions()</methodname> in your bootstrap.
87 </para>
88 </listitem>
90 <listitem>
91 <para>
92 Call <methodname>Zend_Session::start()</methodname> only for requests
93 that need to use sessions and before any
94 <classname>Zend_Session_Namespace</classname> objects are instantiated.
95 </para>
96 </listitem>
98 <listitem>
99 <para>
100 Use "<code>new Zend_Session_Namespace()</code>" normally, where needed,
101 but make sure <methodname>Zend_Session::start()</methodname> has been
102 called previously.
103 </para>
104 </listitem>
105 </itemizedlist>
107 <para>
108 The <code>strict</code> option prevents
109 <code>new Zend_Session_Namespace()</code> from automatically starting the
110 session using <methodname>Zend_Session::start()</methodname>. Thus, this option
111 helps application developers enforce a design decision to avoid using sessions
112 for certain requests, since it causes an exception to be thrown when
113 <classname>Zend_Session_Namespace</classname> is instantiated before
114 <methodname>Zend_Session::start()</methodname> is called. Developers should
115 carefully consider the impact of using
116 <methodname>Zend_Session::setOptions()</methodname>, since these options have
117 global effect, owing to their correspondence to the underlying options for
118 ext/session.
119 </para>
120 </listitem>
122 <listitem>
123 <para>
124 Correct: Just instantiate <classname>Zend_Session_Namespace</classname> whenever
125 needed, and the underlying <acronym>PHP</acronym> session will be automatically
126 started. This offers extremely simple usage that works well in most situations.
127 However, you then become responsible for ensuring that the first
128 <code>new Zend_Session_Namespace()</code> happens <emphasis>before</emphasis>
129 any output (e.g., <ulink url="http://www.php.net/headers_sent">HTTP
130 headers</ulink>) has been sent by <acronym>PHP</acronym> to the client, if
131 you are using the default, cookie-based sessions (strongly recommended). See
132 <xref linkend="zend.session.global_session_management.headers_sent" /> for more
133 information.
134 </para>
135 </listitem>
136 </orderedlist>
137 </sect2>
139 <sect2 id="zend.session.advanced_usage.locking">
140 <title>Locking Session Namespaces</title>
142 <para>
143 Session namespaces can be locked, to prevent further alterations to the data in that
144 namespace. Use <methodname>lock()</methodname> to make a specific namespace read-only,
145 <methodname>unLock()</methodname> to make a read-only namespace read-write, and
146 <methodname>isLocked()</methodname> to test if a namespace has been previously locked.
147 Locks are transient and do not persist from one request to the next. Locking the
148 namespace has no effect on setter methods of objects stored in the namespace, but does
149 prevent the use of the namespace's setter method to remove or replace objects stored
150 directly in the namespace. Similarly, locking
151 <classname>Zend_Session_Namespace</classname> instances does not prevent the use of
152 symbol table aliases to the same data (see <ulink
153 url="http://www.php.net/references">PHP references</ulink>).
154 </para>
156 <example id="zend.session.advanced_usage.locking.example.basic">
157 <title>Locking Session Namespaces</title>
159 <programlisting language="php"><![CDATA[
160 $userProfileNamespace = new Zend_Session_Namespace('userProfileNamespace');
162 // marking session as read only locked
163 $userProfileNamespace->lock();
165 // unlocking read-only lock
166 if ($userProfileNamespace->isLocked()) {
167 $userProfileNamespace->unLock();
168 }
169 ]]></programlisting>
170 </example>
171 </sect2>
173 <sect2 id="zend.session.advanced_usage.expiration">
174 <title>Namespace Expiration</title>
176 <para>
177 Limits can be placed on the longevity of both namespaces and individual keys in
178 namespaces. Common use cases include passing temporary information between requests, and
179 reducing exposure to certain security risks by removing access to potentially sensitive
180 information some time after authentication occurred. Expiration can be based on either
181 elapsed seconds or the number of "hops", where a hop occurs for each successive request.
182 </para>
184 <example id="zend.session.advanced_usage.expiration.example">
185 <title>Expiration Examples</title>
187 <programlisting language="php"><![CDATA[
188 $s = new Zend_Session_Namespace('expireAll');
189 $s->a = 'apple';
190 $s->p = 'pear';
191 $s->o = 'orange';
193 $s->setExpirationSeconds(5, 'a'); // expire only the key "a" in 5 seconds
195 // expire entire namespace in 5 "hops"
196 $s->setExpirationHops(5);
198 $s->setExpirationSeconds(60);
199 // The "expireAll" namespace will be marked "expired" on
200 // the first request received after 60 seconds have elapsed,
201 // or in 5 hops, whichever happens first.
202 ]]></programlisting>
203 </example>
205 <para>
206 When working with data expiring from the session in the current request, care should be
207 used when retrieving them. Although the data are returned by reference, modifying the
208 data will not make expiring data persist past the current request. In order to "reset"
209 the expiration time, fetch the data into temporary variables, use the namespace to unset
210 them, and then set the appropriate keys again.
211 </para>
212 </sect2>
214 <sect2 id="zend.session.advanced_usage.controllers">
215 <title>Session Encapsulation and Controllers</title>
217 <para>
218 Namespaces can also be used to separate session access by controllers to protect
219 variables from contamination. For example, an authentication controller might keep its
220 session state data separate from all other controllers for meeting security
221 requirements.
222 </para>
224 <example id="zend.session.advanced_usage.controllers.example">
225 <title>Namespaced Sessions for Controllers with Automatic Expiration</title>
227 <para>
228 The following code, as part of a controller that displays a test question, initiates
229 a boolean variable to represent whether or not a submitted answer to the test
230 question should be accepted. In this case, the application user is given 300 seconds
231 to answer the displayed question.
232 </para>
234 <programlisting language="php"><![CDATA[
235 // ...
236 // in the question view controller
237 $testSpace = new Zend_Session_Namespace('testSpace');
238 // expire only this variable
239 $testSpace->setExpirationSeconds(300, 'accept_answer');
240 $testSpace->accept_answer = true;
241 //...
242 ]]></programlisting>
244 <para>
245 Below, the controller that processes the answers to test questions determines
246 whether or not to accept an answer based on whether the user submitted the answer
247 within the allotted time:
248 </para>
250 <programlisting language="php"><![CDATA[
251 // ...
252 // in the answer processing controller
253 $testSpace = new Zend_Session_Namespace('testSpace');
254 if ($testSpace->accept_answer === true) {
255 // within time
256 }
257 else {
258 // not within time
259 }
260 // ...
261 ]]></programlisting>
262 </example>
263 </sect2>
265 <sect2 id="zend.session.advanced_usage.single_instance">
266 <title>Preventing Multiple Instances per Namespace</title>
268 <para>
269 Although <link linkend="zend.session.advanced_usage.locking">session locking</link>
270 provides a good degree of protection against unintended use of namespaced session data,
271 <classname>Zend_Session_Namespace</classname> also features the ability to prevent the
272 creation of multiple instances corresponding to a single namespace.
273 </para>
275 <para>
276 To enable this behavior, pass <constant>TRUE</constant> to the second constructor
277 argument when creating the last allowed instance of
278 <classname>Zend_Session_Namespace</classname>. Any subsequent attempt to instantiate the
279 same namespace would result in a thrown exception.
280 </para>
282 <example id="zend.session.advanced_usage.single_instance.example">
283 <title>Limiting Session Namespace Access to a Single Instance</title>
285 <programlisting language="php"><![CDATA[
286 // create an instance of a namespace
287 $authSpaceAccessor1 = new Zend_Session_Namespace('Zend_Auth');
289 // create another instance of the same namespace, but disallow any
290 // new instances
291 $authSpaceAccessor2 = new Zend_Session_Namespace('Zend_Auth', true);
293 // making a reference is still possible
294 $authSpaceAccessor3 = $authSpaceAccessor2;
296 $authSpaceAccessor1->foo = 'bar';
298 assert($authSpaceAccessor2->foo, 'bar');
300 try {
301 $aNamespaceObject = new Zend_Session_Namespace('Zend_Auth');
302 } catch (Zend_Session_Exception $e) {
303 echo 'Cannot instantiate this namespace since ' .
304 '$authSpaceAccessor2 was created\n';
305 }
306 ]]></programlisting>
307 </example>
309 <para>
310 The second parameter in the constructor above tells
311 <classname>Zend_Session_Namespace</classname> that any future instances with the
312 "<classname>Zend_Auth</classname>" namespace are not allowed. Attempting to create such
313 an instance causes an exception to be thrown by the constructor. The developer therefore
314 becomes responsible for storing a reference to an instance object
315 (<varname>$authSpaceAccessor1</varname>, <varname>$authSpaceAccessor2</varname>, or
316 <varname>$authSpaceAccessor3</varname> in the example above) somewhere, if access to the
317 session namespace is needed at a later time during the same request. For example, a
318 developer may store the reference in a static variable, add the reference to a <ulink
319 url="http://www.martinfowler.com/eaaCatalog/registry.html">registry</ulink> (see
320 <xref linkend="zend.registry" />), or otherwise make it available to other methods that
321 may need access to the session namespace.
322 </para>
323 </sect2>
325 <sect2 id="zend.session.advanced_usage.arrays">
326 <title>Working with Arrays</title>
328 <para>
329 Due to the implementation history of <acronym>PHP</acronym> magic methods, modifying an
330 array inside a namespace may not work under <acronym>PHP</acronym> versions before
331 5.2.1. If you will only be working with <acronym>PHP</acronym> 5.2.1 or later, then you
332 may <link linkend="zend.session.advanced_usage.objects">skip to the next section</link>.
333 </para>
335 <example id="zend.session.advanced_usage.arrays.example.modifying">
336 <title>Modifying Array Data with a Session Namespace</title>
338 <para>
339 The following illustrates how the problem may be reproduced:
340 </para>
342 <programlisting language="php"><![CDATA[
343 $sessionNamespace = new Zend_Session_Namespace();
344 $sessionNamespace->array = array();
346 // may not work as expected before PHP 5.2.1
347 $sessionNamespace->array['testKey'] = 1;
348 echo $sessionNamespace->array['testKey'];
349 ]]></programlisting>
350 </example>
352 <example id="zend.session.advanced_usage.arrays.example.building_prior">
353 <title>Building Arrays Prior to Session Storage</title>
355 <para>
356 If possible, avoid the problem altogether by storing arrays into a session namespace
357 only after all desired array values have been set.
358 </para>
360 <programlisting language="php"><![CDATA[
361 $sessionNamespace = new Zend_Session_Namespace('Foo');
362 $sessionNamespace->array = array('a', 'b', 'c');
363 ]]></programlisting>
364 </example>
366 <para>
367 If you are using an affected version of <acronym>PHP</acronym> and need to modify the
368 array after assigning it to a session namespace key, you may use either or both of the
369 following workarounds.
370 </para>
372 <example id="zend.session.advanced_usage.arrays.example.workaround.reassign">
373 <title>Workaround: Reassign a Modified Array</title>
375 <para>
376 In the code that follows, a copy of the stored array is created, modified, and
377 reassigned to the location from which the copy was created, overwriting the original
378 array.
379 </para>
381 <programlisting language="php"><![CDATA[
382 $sessionNamespace = new Zend_Session_Namespace();
384 // assign the initial array
385 $sessionNamespace->array = array('tree' => 'apple');
387 // make a copy of the array
388 $tmp = $sessionNamespace->array;
390 // modfiy the array copy
391 $tmp['fruit'] = 'peach';
393 // assign a copy of the array back to the session namespace
394 $sessionNamespace->array = $tmp;
396 echo $sessionNamespace->array['fruit']; // prints "peach"
397 ]]></programlisting>
398 </example>
400 <example id="zend.session.advanced_usage.arrays.example.workaround.reference">
401 <title>Workaround: store array containing reference</title>
403 <para>
404 Alternatively, store an array containing a reference to the desired array, and then
405 access it indirectly.
406 </para>
408 <programlisting language="php"><![CDATA[
409 $myNamespace = new Zend_Session_Namespace('myNamespace');
410 $a = array(1, 2, 3);
411 $myNamespace->someArray = array( &$a );
412 $a['foo'] = 'bar';
413 echo $myNamespace->someArray['foo']; // prints "bar"
414 ]]></programlisting>
415 </example>
416 </sect2>
418 <sect2 id="zend.session.advanced_usage.objects">
419 <title>Using Sessions with Objects</title>
421 <para>
422 If you plan to persist objects in the <acronym>PHP</acronym> session, know that they
423 will be <ulink
424 url="http://www.php.net/manual/en/language.oop.serialization.php">serialized</ulink>
425 for storage. Thus, any object persisted with the <acronym>PHP</acronym> session must be
426 unserialized upon retrieval from storage. The implication is that the developer must
427 ensure that the classes for the persisted objects must have been defined before the
428 object is unserialized from session storage. If an unserialized object's class is not
429 defined, then it becomes an instance of <code>stdClass</code>.
430 </para>
431 </sect2>
433 <sect2 id="zend.session.advanced_usage.testing">
434 <title>Using Sessions with Unit Tests</title>
436 <para>
437 Zend Framework relies on PHPUnit to facilitate testing of itself. Many developers extend
438 the existing suite of unit tests to cover the code in their applications. The exception
439 "<emphasis>Zend_Session is currently marked as read-only</emphasis>" is thrown while
440 performing unit tests, if any write-related methods are used after ending the session.
441 However, unit tests using <classname>Zend_Session</classname> require extra attention,
442 because closing (<methodname>Zend_Session::writeClose()</methodname>), or destroying a
443 session (<methodname>Zend_Session::destroy()</methodname>) prevents any further setting
444 or unsetting of keys in any instance of <classname>Zend_Session_Namespace</classname>.
445 This behavior is a direct result of the underlying ext/session mechanism and
446 <acronym>PHP</acronym>'s <methodname>session_destroy()</methodname> and
447 <methodname>session_write_close()</methodname>, which have no "undo" mechanism to
448 facilitate setup/teardown with unit tests.
449 </para>
451 <para>
452 To work around this, see the unit test
453 <methodname>testSetExpirationSeconds()</methodname> in <code>SessionTest.php</code> and
454 <code>SessionTestHelper.php</code>, both located in <code>tests/Zend/Session</code>,
455 which make use of <acronym>PHP</acronym>'s <methodname>exec()</methodname> to launch a
456 separate process. The new process more accurately simulates a second, successive request
457 from a browser. The separate process begins with a "clean" session, just like any
458 <acronym>PHP</acronym> script execution for a web request. Also, any changes to
459 <varname>$_SESSION</varname> made in the calling process become available to the child
460 process, provided the parent closed the session before using
461 <methodname>exec()</methodname>.
462 </para>
464 <example id="zend.session.advanced_usage.testing.example">
465 <title>PHPUnit Testing Code Dependent on Zend_Session</title>
467 <programlisting language="php"><![CDATA[
468 // testing setExpirationSeconds()
469 $script = 'SessionTestHelper.php';
470 $s = new Zend_Session_Namespace('space');
471 $s->a = 'apple';
472 $s->o = 'orange';
473 $s->setExpirationSeconds(5);
475 Zend_Session::regenerateId();
476 $id = Zend_Session::getId();
477 session_write_close(); // release session so process below can use it
478 sleep(4); // not long enough for things to expire
479 exec($script . "expireAll $id expireAll", $result);
480 $result = $this->sortResult($result);
481 $expect = ';a === apple;o === orange;p === pear';
482 $this->assertTrue($result === $expect,
483 "iteration over default Zend_Session namespace failed; " .
484 "expecting result === '$expect', but got '$result'");
486 sleep(2); // long enough for things to expire (total of 6 seconds
487 // waiting, but expires in 5)
488 exec($script . "expireAll $id expireAll", $result);
489 $result = array_pop($result);
490 $this->assertTrue($result === '',
491 "iteration over default Zend_Session namespace failed; " .
492 "expecting result === '', but got '$result')");
493 session_start(); // resume artificially suspended session
495 // We could split this into a separate test, but actually, if anything
496 // leftover from above contaminates the tests below, that is also a
497 // bug that we want to know about.
498 $s = new Zend_Session_Namespace('expireGuava');
499 $s->setExpirationSeconds(5, 'g'); // now try to expire only 1 of the
500 // keys in the namespace
501 $s->g = 'guava';
502 $s->p = 'peach';
503 $s->p = 'plum';
505 session_write_close(); // release session so process below can use it
506 sleep(6); // not long enough for things to expire
507 exec($script . "expireAll $id expireGuava", $result);
508 $result = $this->sortResult($result);
509 session_start(); // resume artificially suspended session
510 $this->assertTrue($result === ';p === plum',
511 "iteration over named Zend_Session namespace failed (result=$result)");
512 ]]></programlisting>
513 </example>
514 </sect2>
515 </sect1>