1 <?xml version="1.0" encoding="UTF-8"?>
3 <sect1 id="zend.session.advanced_usage">
4 <title>Advanced Usage</title>
7 While the basic usage examples are a perfectly acceptable way to utilize Zend Framework
8 sessions, there are some best practices to consider. This section discusses the finer
9 details of session handling and illustrates more advanced usage of the
10 <classname>Zend_Session</classname> component.
13 <sect2 id="zend.session.advanced_usage.starting_a_session">
14 <title>Starting a Session</title>
17 If you want all requests to have a session facilitated by
18 <classname>Zend_Session</classname>, then start the session in the bootstrap file:
21 <example id="zend.session.advanced_usage.starting_a_session.example">
22 <title>Starting the Global Session</title>
24 <programlisting language="php"><![CDATA[
25 Zend_Session::start();
30 By starting the session in the bootstrap file, you avoid the possibility that your
31 session might be started after headers have been sent to the browser, which results in
32 an exception, and possibly a broken page for website viewers. Various advanced features
33 require <methodname>Zend_Session::start()</methodname> first. (More on advanced features
38 There are four ways to start a session, when using <classname>Zend_Session</classname>.
45 Wrong: Do not enable <acronym>PHP</acronym>'s <ulink
46 url="http://www.php.net/manual/en/ref.session.php#ini.session.auto-start">
47 <code>session.auto_start</code> setting</ulink>. If you do not have the
48 ability to disable this setting in php.ini, you are using mod_php (or
49 equivalent), and the setting is already enabled in <code>php.ini</code>, then
50 add the following to your <code>.htaccess</code> file (usually in your
51 <acronym>HTML</acronym> document root directory):
52 <programlisting language="httpd.conf"><![CDATA[
53 php_value session.auto_start 0
60 Wrong: Do not use <acronym>PHP</acronym>'s <ulink
61 url="http://www.php.net/session_start"><methodname>session_start()</methodname></ulink>
62 function directly. If you use <methodname>session_start()</methodname> directly,
63 and then start using <classname>Zend_Session_Namespace</classname>, an exception
64 will be thrown by <methodname>Zend_Session::start()</methodname> ("session has
65 already been started"). If you call <methodname>session_start()</methodname>
66 after using <classname>Zend_Session_Namespace</classname> or calling
67 <methodname>Zend_Session::start()</methodname>, an error of level
68 <constant>E_NOTICE</constant> will be generated, and the call will be ignored.
74 Correct: Use <methodname>Zend_Session::start()</methodname>. If you want all
75 requests to have and use sessions, then place this function call early and
76 unconditionally in your bootstrap code. Sessions have some overhead. If some
77 requests need sessions, but other requests will not need to use sessions, then:
80 <itemizedlist mark="opencircle">
83 Unconditionally set the <code>strict</code> option to
84 <constant>TRUE</constant> using
85 <methodname>Zend_Session::setOptions()</methodname> in your bootstrap.
91 Call <methodname>Zend_Session::start()</methodname> only for requests
92 that need to use sessions and before any
93 <classname>Zend_Session_Namespace</classname> objects are instantiated.
99 Use "<code>new Zend_Session_Namespace()</code>" normally, where needed,
100 but make sure <methodname>Zend_Session::start()</methodname> has been
107 The <code>strict</code> option prevents
108 <code>new Zend_Session_Namespace()</code> from automatically starting the
109 session using <methodname>Zend_Session::start()</methodname>. Thus, this option
110 helps application developers enforce a design decision to avoid using sessions
111 for certain requests, since it causes an exception to be thrown when
112 <classname>Zend_Session_Namespace</classname> is instantiated before
113 <methodname>Zend_Session::start()</methodname> is called. Developers should
114 carefully consider the impact of using
115 <methodname>Zend_Session::setOptions()</methodname>, since these options have
116 global effect, owing to their correspondence to the underlying options for
123 Correct: Just instantiate <classname>Zend_Session_Namespace</classname> whenever
124 needed, and the underlying <acronym>PHP</acronym> session will be automatically
125 started. This offers extremely simple usage that works well in most situations.
126 However, you then become responsible for ensuring that the first
127 <code>new Zend_Session_Namespace()</code> happens <emphasis>before</emphasis>
128 any output (e.g., <ulink url="http://www.php.net/headers_sent">HTTP
129 headers</ulink>) has been sent by <acronym>PHP</acronym> to the client, if
130 you are using the default, cookie-based sessions (strongly recommended). See
131 <xref linkend="zend.session.global_session_management.headers_sent" /> for more
138 <sect2 id="zend.session.advanced_usage.locking">
139 <title>Locking Session Namespaces</title>
142 Session namespaces can be locked, to prevent further alterations to the data in that
143 namespace. Use <methodname>lock()</methodname> to make a specific namespace read-only,
144 <methodname>unLock()</methodname> to make a read-only namespace read-write, and
145 <methodname>isLocked()</methodname> to test if a namespace has been previously locked.
146 Locks are transient and do not persist from one request to the next. Locking the
147 namespace has no effect on setter methods of objects stored in the namespace, but does
148 prevent the use of the namespace's setter method to remove or replace objects stored
149 directly in the namespace. Similarly, locking
150 <classname>Zend_Session_Namespace</classname> instances does not prevent the use of
151 symbol table aliases to the same data (see <ulink
152 url="http://www.php.net/references">PHP references</ulink>).
155 <example id="zend.session.advanced_usage.locking.example.basic">
156 <title>Locking Session Namespaces</title>
158 <programlisting language="php"><![CDATA[
159 $userProfileNamespace = new Zend_Session_Namespace('userProfileNamespace');
161 // marking session as read only locked
162 $userProfileNamespace->lock();
164 // unlocking read-only lock
165 if ($userProfileNamespace->isLocked()) {
166 $userProfileNamespace->unLock();
172 <sect2 id="zend.session.advanced_usage.expiration">
173 <title>Namespace Expiration</title>
176 Limits can be placed on the longevity of both namespaces and individual keys in
177 namespaces. Common use cases include passing temporary information between requests, and
178 reducing exposure to certain security risks by removing access to potentially sensitive
179 information some time after authentication occurred. Expiration can be based on either
180 elapsed seconds or the number of "hops", where a hop occurs for each successive request.
183 <example id="zend.session.advanced_usage.expiration.example">
184 <title>Expiration Examples</title>
186 <programlisting language="php"><![CDATA[
187 $s = new Zend_Session_Namespace('expireAll');
192 $s->setExpirationSeconds(5, 'a'); // expire only the key "a" in 5 seconds
194 // expire entire namespace in 5 "hops"
195 $s->setExpirationHops(5);
197 $s->setExpirationSeconds(60);
198 // The "expireAll" namespace will be marked "expired" on
199 // the first request received after 60 seconds have elapsed,
200 // or in 5 hops, whichever happens first.
205 When working with data expiring from the session in the current request, care should be
206 used when retrieving them. Although the data are returned by reference, modifying the
207 data will not make expiring data persist past the current request. In order to "reset"
208 the expiration time, fetch the data into temporary variables, use the namespace to unset
209 them, and then set the appropriate keys again.
213 <sect2 id="zend.session.advanced_usage.controllers">
214 <title>Session Encapsulation and Controllers</title>
217 Namespaces can also be used to separate session access by controllers to protect
218 variables from contamination. For example, an authentication controller might keep its
219 session state data separate from all other controllers for meeting security
223 <example id="zend.session.advanced_usage.controllers.example">
224 <title>Namespaced Sessions for Controllers with Automatic Expiration</title>
227 The following code, as part of a controller that displays a test question, initiates
228 a boolean variable to represent whether or not a submitted answer to the test
229 question should be accepted. In this case, the application user is given 300 seconds
230 to answer the displayed question.
233 <programlisting language="php"><![CDATA[
235 // in the question view controller
236 $testSpace = new Zend_Session_Namespace('testSpace');
237 // expire only this variable
238 $testSpace->setExpirationSeconds(300, 'accept_answer');
239 $testSpace->accept_answer = true;
244 Below, the controller that processes the answers to test questions determines
245 whether or not to accept an answer based on whether the user submitted the answer
246 within the allotted time:
249 <programlisting language="php"><![CDATA[
251 // in the answer processing controller
252 $testSpace = new Zend_Session_Namespace('testSpace');
253 if ($testSpace->accept_answer === true) {
264 <sect2 id="zend.session.advanced_usage.single_instance">
265 <title>Preventing Multiple Instances per Namespace</title>
268 Although <link linkend="zend.session.advanced_usage.locking">session locking</link>
269 provides a good degree of protection against unintended use of namespaced session data,
270 <classname>Zend_Session_Namespace</classname> also features the ability to prevent the
271 creation of multiple instances corresponding to a single namespace.
275 To enable this behavior, pass <constant>TRUE</constant> to the second constructor
276 argument when creating the last allowed instance of
277 <classname>Zend_Session_Namespace</classname>. Any subsequent attempt to instantiate the
278 same namespace would result in a thrown exception.
281 <example id="zend.session.advanced_usage.single_instance.example">
282 <title>Limiting Session Namespace Access to a Single Instance</title>
284 <programlisting language="php"><![CDATA[
285 // create an instance of a namespace
286 $authSpaceAccessor1 = new Zend_Session_Namespace('Zend_Auth');
288 // create another instance of the same namespace, but disallow any
290 $authSpaceAccessor2 = new Zend_Session_Namespace('Zend_Auth', true);
292 // making a reference is still possible
293 $authSpaceAccessor3 = $authSpaceAccessor2;
295 $authSpaceAccessor1->foo = 'bar';
297 assert($authSpaceAccessor2->foo, 'bar');
300 $aNamespaceObject = new Zend_Session_Namespace('Zend_Auth');
301 } catch (Zend_Session_Exception $e) {
302 echo 'Cannot instantiate this namespace since ' .
303 '$authSpaceAccessor2 was created\n';
309 The second parameter in the constructor above tells
310 <classname>Zend_Session_Namespace</classname> that any future instances with the
311 "<classname>Zend_Auth</classname>" namespace are not allowed. Attempting to create such
312 an instance causes an exception to be thrown by the constructor. The developer therefore
313 becomes responsible for storing a reference to an instance object
314 (<varname>$authSpaceAccessor1</varname>, <varname>$authSpaceAccessor2</varname>, or
315 <varname>$authSpaceAccessor3</varname> in the example above) somewhere, if access to the
316 session namespace is needed at a later time during the same request. For example, a
317 developer may store the reference in a static variable, add the reference to a <ulink
318 url="http://www.martinfowler.com/eaaCatalog/registry.html">registry</ulink> (see
319 <xref linkend="zend.registry" />), or otherwise make it available to other methods that
320 may need access to the session namespace.
324 <sect2 id="zend.session.advanced_usage.arrays">
325 <title>Working with Arrays</title>
328 Due to the implementation history of <acronym>PHP</acronym> magic methods, modifying an
329 array inside a namespace may not work under <acronym>PHP</acronym> versions before
330 5.2.1. If you will only be working with <acronym>PHP</acronym> 5.2.1 or later, then you
331 may <link linkend="zend.session.advanced_usage.objects">skip to the next section</link>.
334 <example id="zend.session.advanced_usage.arrays.example.modifying">
335 <title>Modifying Array Data with a Session Namespace</title>
338 The following illustrates how the problem may be reproduced:
341 <programlisting language="php"><![CDATA[
342 $sessionNamespace = new Zend_Session_Namespace();
343 $sessionNamespace->array = array();
345 // may not work as expected before PHP 5.2.1
346 $sessionNamespace->array['testKey'] = 1;
347 echo $sessionNamespace->array['testKey'];
351 <example id="zend.session.advanced_usage.arrays.example.building_prior">
352 <title>Building Arrays Prior to Session Storage</title>
355 If possible, avoid the problem altogether by storing arrays into a session namespace
356 only after all desired array values have been set.
359 <programlisting language="php"><![CDATA[
360 $sessionNamespace = new Zend_Session_Namespace('Foo');
361 $sessionNamespace->array = array('a', 'b', 'c');
366 If you are using an affected version of <acronym>PHP</acronym> and need to modify the
367 array after assigning it to a session namespace key, you may use either or both of the
368 following workarounds.
371 <example id="zend.session.advanced_usage.arrays.example.workaround.reassign">
372 <title>Workaround: Reassign a Modified Array</title>
375 In the code that follows, a copy of the stored array is created, modified, and
376 reassigned to the location from which the copy was created, overwriting the original
380 <programlisting language="php"><![CDATA[
381 $sessionNamespace = new Zend_Session_Namespace();
383 // assign the initial array
384 $sessionNamespace->array = array('tree' => 'apple');
386 // make a copy of the array
387 $tmp = $sessionNamespace->array;
389 // modfiy the array copy
390 $tmp['fruit'] = 'peach';
392 // assign a copy of the array back to the session namespace
393 $sessionNamespace->array = $tmp;
395 echo $sessionNamespace->array['fruit']; // prints "peach"
399 <example id="zend.session.advanced_usage.arrays.example.workaround.reference">
400 <title>Workaround: store array containing reference</title>
403 Alternatively, store an array containing a reference to the desired array, and then
404 access it indirectly.
407 <programlisting language="php"><![CDATA[
408 $myNamespace = new Zend_Session_Namespace('myNamespace');
410 $myNamespace->someArray = array( &$a );
412 echo $myNamespace->someArray['foo']; // prints "bar"
417 <sect2 id="zend.session.advanced_usage.objects">
418 <title>Using Sessions with Objects</title>
421 If you plan to persist objects in the <acronym>PHP</acronym> session, know that they
423 url="http://www.php.net/manual/en/language.oop.serialization.php">serialized</ulink>
424 for storage. Thus, any object persisted with the <acronym>PHP</acronym> session must be
425 unserialized upon retrieval from storage. The implication is that the developer must
426 ensure that the classes for the persisted objects must have been defined before the
427 object is unserialized from session storage. If an unserialized object's class is not
428 defined, then it becomes an instance of <code>stdClass</code>.
432 <sect2 id="zend.session.advanced_usage.testing">
433 <title>Using Sessions with Unit Tests</title>
436 Zend Framework relies on PHPUnit to facilitate testing of itself. Many developers extend
437 the existing suite of unit tests to cover the code in their applications. The exception
438 "<emphasis>Zend_Session is currently marked as read-only</emphasis>" is thrown while
439 performing unit tests, if any write-related methods are used after ending the session.
440 However, unit tests using <classname>Zend_Session</classname> require extra attention,
441 because closing (<methodname>Zend_Session::writeClose()</methodname>), or destroying a
442 session (<methodname>Zend_Session::destroy()</methodname>) prevents any further setting
443 or unsetting of keys in any instance of <classname>Zend_Session_Namespace</classname>.
444 This behavior is a direct result of the underlying ext/session mechanism and
445 <acronym>PHP</acronym>'s <methodname>session_destroy()</methodname> and
446 <methodname>session_write_close()</methodname>, which have no "undo" mechanism to
447 facilitate setup/teardown with unit tests.
451 To work around this, see the unit test
452 <methodname>testSetExpirationSeconds()</methodname> in <code>SessionTest.php</code> and
453 <code>SessionTestHelper.php</code>, both located in <code>tests/Zend/Session</code>,
454 which make use of <acronym>PHP</acronym>'s <methodname>exec()</methodname> to launch a
455 separate process. The new process more accurately simulates a second, successive request
456 from a browser. The separate process begins with a "clean" session, just like any
457 <acronym>PHP</acronym> script execution for a web request. Also, any changes to
458 <varname>$_SESSION</varname> made in the calling process become available to the child
459 process, provided the parent closed the session before using
460 <methodname>exec()</methodname>.
463 <example id="zend.session.advanced_usage.testing.example">
464 <title>PHPUnit Testing Code Dependent on Zend_Session</title>
466 <programlisting language="php"><![CDATA[
467 // testing setExpirationSeconds()
468 $script = 'SessionTestHelper.php';
469 $s = new Zend_Session_Namespace('space');
472 $s->setExpirationSeconds(5);
474 Zend_Session::regenerateId();
475 $id = Zend_Session::getId();
476 session_write_close(); // release session so process below can use it
477 sleep(4); // not long enough for things to expire
478 exec($script . "expireAll $id expireAll", $result);
479 $result = $this->sortResult($result);
480 $expect = ';a === apple;o === orange;p === pear';
481 $this->assertTrue($result === $expect,
482 "iteration over default Zend_Session namespace failed; " .
483 "expecting result === '$expect', but got '$result'");
485 sleep(2); // long enough for things to expire (total of 6 seconds
486 // waiting, but expires in 5)
487 exec($script . "expireAll $id expireAll", $result);
488 $result = array_pop($result);
489 $this->assertTrue($result === '',
490 "iteration over default Zend_Session namespace failed; " .
491 "expecting result === '', but got '$result')");
492 session_start(); // resume artificially suspended session
494 // We could split this into a separate test, but actually, if anything
495 // leftover from above contaminates the tests below, that is also a
496 // bug that we want to know about.
497 $s = new Zend_Session_Namespace('expireGuava');
498 $s->setExpirationSeconds(5, 'g'); // now try to expire only 1 of the
499 // keys in the namespace
504 session_write_close(); // release session so process below can use it
505 sleep(6); // not long enough for things to expire
506 exec($script . "expireAll $id expireGuava", $result);
507 $result = $this->sortResult($result);
508 session_start(); // resume artificially suspended session
509 $this->assertTrue($result === ';p === plum',
510 "iteration over named Zend_Session namespace failed (result=$result)");