search

bcosca / fatfree

A powerful yet easy-to-use PHP micro-framework designed to help you build dynamic and robust Web applications - fast!
2.66k stars 446 forks source link

(SQL-based) session management skips unserializable objects silently #906

Open dualon opened 8 years ago

dualon commented 8 years ago

SQL-based session management skips unserializable objects silently, although it should throw at least a notice to the developer.

$s = new \DB\SQL\Session($DB, 'sessions', false);
$ClassWithPDOInstance = new \MyClass;

$f3->set('SESSION.unsrobj', $ClassWithPDOInstance);

MySQL 'sessions' table remains empty, the session variable is therefore not set, but the above code runs silently. It should scream hard. ;)

KOTRET commented 8 years ago

this should be addressed to php core. F3 calls session_set_save_handler to register the session-handlers. The write-function already receives a string for data (see official documentation for this). That means the data is already serialized when this function is called.

either stop storing stateful-objects (like mapper) in the session or: a) implement the __sleep / __wakeup-functions - see here b) implement the Serializable Interface. @bcosca: we had this in DB-class in F3 V2, dunno where it went:

    function __sleep() {
        return array('dbname','backend','result');
    }

    function __wakeup() {
        self::instantiate();
    }