1.2.1069. Session Lazy Write¶
Classes that implements SessionHandlerInterface must also implements SessionUpdateTimestampHandlerInterface.
The two extra methods are used to help lazy loading : the first actually checks if a sessionId is available, and the seconds updates the time of last usage of the session data in the session storage.
This was spotted by Nicolas Grekas
, and fixed in Symfony [HttpFoundation] Make sessions `secure and lazy #24523 <https://github.com/symfony/symfony/pull/24523>`_.
<?php
interface SessionUpdateTimestampHandlerInterface {
// returns a boolean to indicate that valid data is available for this sessionId, or not.
function validateId($sessionId);
//called to change the last time of usage for the session data.
//It may be a file's touch or full write, or a simple update on the database
function updateTimestamp($sessionId, $sessionData);
}
?>
See also Sessions: Improve original RFC about lazy_write and Sessions.
1.2.1069.1. Suggestions¶
Implements the SessionUpdateTimestampHandlerInterface interface
1.2.1069.2. Specs¶
Short name |
Security/SessionLazyWrite |
Rulesets |
|
Exakat since |
0.12.15 |
PHP Version |
All |
Severity |
Major |
Time To Fix |
Slow (1 hour) |
Precision |
High |
Features |
session |
Available in |