Do not create session when it is not necessary

I think we could have an option "start" in the configuration (in the session section):

• 0 means no session
• 1 means automatic session (created only when it is useful)
• 2 means always create a session (current behavior in jelix)

For me, config parameter "always_start" is ok. Default value is 1 (0 to disable).

About jSession::set() en jSession::get(), why not, but what about existing code in applications calling $_SESSION directly ?

I think that the deal could be :

• default value of "always_start" is 1, so the behavior is not changed.
• if "always_start" is 0, then there's no session created, unless we explicitly use jSession::set()

of course, jSession::set() only starts the session once.

NB : for this change to work fine, we have to find/replace all $_SESSION direct calls by jSession::set() in Jelix files (autolocale, auth, etc....).

NB2 : For arrays in session, I don't think we could do something like :

var_dump(jSession::get('cart')['products']); // equivalent to var_dump($_SESSION['cart']['products']);

so we have to do :

$cart = jSession::get('cart');
var_dump($cart['products']);

It's not a big problem, but we have to write a little more ;)

If my solution is Ok, i can implement it in jSession.

For me, config parameter "always_start" is ok. Default value is 1 (0 to disable).

I prefer "start", with the three values 0, 1, 2. One advantage of this, that there isn't an issue with existing application which use $_SESSION. Developers can put "2" and so they don't have to change their code (but they don't have the benefit of automatic session of course). If they put "1", they have to change all $_SESSION by the use of jSession. And they can specify "0", for "no session", usefull for command line (see ticket #445, blocked by this one) (or if they don't want to use sessions).

for this change to work fine, we have to find/replace all $_SESSION direct calls by jSession::set() in Jelix files

of course

For arrays in session.. I don't think we could do something like :

no I don't think too.. It's true that it is not really sexy...

I'm affraid of people don't understanding they have to check/change config file for sessions to work.

For migration safety, we then must set "2" as the default value, so all applications continue to work like today.

So it's like my "always_start" set to 1.

If you put 0 in "start", then sessions will not be available. What if a developer writes something like :

jSession::set('mySessionVar','value');

we should thrown an Exception telling that the session isn't available, right ? I can't think about just doing nothing in that case.

If we do not throw an Exception, then we really should start the session, and then my parameter "always_start=1|0" is enough to cover all cases.

If we throw an Exception, ok, we can use "start=0|1|2" that I will prefer to rename as "start=never|ondemand|always" for better comprehension.

So the question is, when the developper writes jSession::set() and the sessions are "never" started, should we throw an exception or should we start the session to make things right ?

For migration safety, we then must set "2" as the default value, so all applications continue to work like today.

Of course...

when the developper writes jSession::set() and the sessions are "never" started, should we throw an exception or should we start the session to make things right ?

Throw an exception. If the developer don't want sessions, then we shouldn't start session.

Ok I can implement this in jSession and make changes in Jelix to call jSession::set() and jSession::get().

what about start=never|ondemand|always instead of start=0|1|2 ?

yes ok for start=never|ondemand|always

Ok, should be patched in 1 or 2 days.

Here's the patch.

Right now I didn't change the calls to $_SESSION in the jelix core source.

I also added some methods to jSession :

jSession::isDefined('myvar') // like isset($_SESSION['myvar']);
jSession::delete('myvar') // like unset($_SESSION['myvar']);
jSession::destroy() // like session_destroy() + cookie deletion

The problem to me is that we can't do things like :

$_SESSION['myvar']['index'] = 12;
var_dump($_SESSION['myvar']['index']);
isset($_SESSION['myvar']['index']);
unset($_SESSION['myvar']['index']);

or we should think about something like :

jSession::get('part1/part2/part3'); // returns $_SESSION['part1']['part2']['part3'];

but that's probably a perf problem (exploding at char "/" then getting right index recursively).

I'm wondering if we shouldn't simplify this, just by using parameters "never" and "always" because coding is quite heavier whithout the direct calls to $_SESSION and even I we can provide alternative ways, this would impact perfs in my opinion.

Got to go, be back tomorrow to talk about it.

Just had a look at Zend Framework.

They also have to do ugly thinks like :

<?php
require_once 'Zend/Session/Namespace.php';
$sessionNamespace = new Zend_Session_Namespace();

// assign the initial array
$sessionNamespace->array = array('tree' => 'apple');

// make a copy of the array
$tmp = $sessionNamespace->array;

// modfiy the array copy
$tmp['fruit'] = 'peach';

// assign a copy of the array back to the session namespace
$sessionNamespace->array = $tmp;

echo $sessionNamespace->array['fruit']; // prints "peach"

Ouch !!!

I really want to be able to do things like :

$_SESSION['array'] = array('tree' => 'apple');
$_SESSION['array']['fruit'] = 'peach';

I think we should forget about "on demand" session start right now, until we have a genius idea for dealing with these problems.

I suggest we just patch jSession to disable sessions upon configuration parameter start = 0

What do you think about it ?

Ok, why not. So your next patch should be attached to the ticket #445.

Patch posted for ticket #445.

For the current ticket (#490), what about just implementing this feature :

[sessions]
; to disable sessions, set the following parameter to 0
start = 1

With this, we can disable sessions for any entry point we need.

Should I post that patch in this ticket, or create a new one (because the patch wouldn't solve the "on-demand session start" thing mentioned in the ticket) ?

I really think that the start=0|1 solution is far enough, and we shouldn't try to implement on-demand session start, because that will force Jelix users to write quite ugly code (see previous examples) and I'm not sure that performances will really increase that much.

If we still want something for "on-demand session start", I think we should rather look for some kind of coord plugin with per action params, just like the auth coord plugin.

I'm ok for your solution for the moment. However, create a new ticket for that. I would like to keep this ticket open for the moment... Perhaps some features of PHP 5.3 (or PHP6) could help us to resolve this problem in a nicer way..

Ok see ticket #506

Ticket #445 is now fixed. Need to remove bloking to close ticket #445.