Make the interpretation of gc_probability configurable by adding
session.gc_dividend. The probability of running gc on each request is then
gc_probability/gc_dividend.

Use ZEND_SET_SYMBOL_WITH_LENGTH correctly (hopefully)

It strikes me as awkward that a Zend API user needs to take care of
doing the engine's reference counting.

This fixes a mem

Use ZEND_SET_SYMBOL_WITH_LENGTH correctly (hopefully)

It strikes me as awkward that a Zend API user needs to take care of
doing the engine's reference counting.

This fixes a memory overrun in a testcase. All ZEND_SET_* calls
should be correct now.

show more ...

(track_init) Use is_ref/refcount parameters of SET_SYMBOL macros

(save_current_state) Prevent a possible deadlock which occurs when
the track vars are inaccessible

Align behaviour with 4.2 with regard to register_globals=1

session_register("c");
unset($c);
$c = time();

If a user unsets a global session variable, it is not a reference

Align behaviour with 4.2 with regard to register_globals=1

session_register("c");
unset($c);
$c = time();

If a user unsets a global session variable, it is not a reference
to a $_SESSION slot anymore.

During serialization, PHP 4.2 will not find the respective entry in
$_SESSION and fall back to the global sym table.

show more ...

Nuke PS(vars), we keep the state of registered session variables now
completely in PS(http_session_vars). This avoids bugs which are caused
by a lack of synchronization between the two hashes

Nuke PS(vars), we keep the state of registered session variables now
completely in PS(http_session_vars). This avoids bugs which are caused
by a lack of synchronization between the two hashes. We also don't need
to worry about prioritizing one of them.

Add session.bug_compat_42 and session.bug_compat_warn which are enabled
by default. The logic behind bug_compat_42:

IF bug_compat_42 is on, and
IF register_globals is off, and
IF any value of $_SESSION["key"] is NULL, and
IF there is a global variable $key, then
$_SESSION["key"] is set to $key.

The extension emits this warning once per script, unless told otherwise.

"Your script possibly relies on a session side-effect which existed until
PHP 4.2.3. Please be advised that the session extension does not consider
global variables as a source of data, unless register_globals is enabled.
You can disable this functionality and this warning by setting
session.bug_compat_42 or session.bug_compat_warn.

show more ...

Fix harmless memory leaks and simplify track_vars_init.

The session extension ensures now that get_session_var can rely
on the state of $_SESSION/$HTTP_SESSION_VARS. It does not look up
symbols in the global symbol table anymore.

This was

The session extension ensures now that get_session_var can rely
on the state of $_SESSION/$HTTP_SESSION_VARS. It does not look up
symbols in the global symbol table anymore.

This was achieved by actually planting references between every
$_SESSION["x"] and $x, not only when restoring a session, but also
when registering a session variable (in a register_globals=1 context).

Upon registering a new variable, this memory leak continues to show
up, regardless of register_globals.

ext/session/session.c(272) : Freeing 0x0818F01C (12 bytes), script=test

Obviously, the newly allocated empty zval is not properly freed. If anyone
has any idea on how to fix that, please step forward.

show more ...

ws fix

Fixed a crash, which would occur when save_handler is invalid.

Fixed bug #17281

Fixed bugs #16995 and #19392

Fixed bug #11643

Fix bug: #14991 (changing session.use_trans_sid does not work in scripts)

Fixed bugs #18167 & #16859

(php_get_session_var) Always return FAILURE if no data source was found.

Noticed by: Sebastian Bergmann

Because track vars are always initialized, get_session_var failed
to work in the register_globals=1 case.

It is now possible again to store session variables in global vars.

Correcting some english in the comment...

Forgot to update source default.

ws fix

- Fixed bug: #17977, session build as shared works now with mm handler too.
- Added listing of save handlers into phpinfo() output

This option enables administrators to make their users invulnerable to
attacks which involve passing session ids in URLs.

Changing email address.

- Fix the way code was outcommented
- Remove unused STR_CAT macro
- Remove limits/tests based on unused macro
- Implement cache_limiter(private) using private_no_expire

Revert Preston's patch

Change default directory for session data from /tmp (non-portable) to none.
Default directory for session data (if not specified) is same (platform-specific) directory used for temporary files.

Change default directory for session data from /tmp (non-portable) to none.
Default directory for session data (if not specified) is same (platform-specific) directory used for temporary files.
This is backwards compatible and removes the need for explicitly specifying the session.save_path on Win32.

show more ...