PHP RFC: User defined session serializer
- Version: 1.0
- Date: 2016-11-17
- Author: Yasuo Ohgaki yohgaki@ohgaki.net
- Status: Declined
- First Published at: http://wiki.php.net/rfc/user_defined_session_serializer
Introduction
Currently, only C module can add additional session data serializer. With user defined session data serializer, users can
- Encrypt/decrypt session data transparently.
- Use any serialization format such as JSON/XML/etc.
- Add invisible data to session data for session data management purpose.
- Validate session data via hash_hmac().
Proposal
Add session serializer registration function.
bool session_set_serializer(callable $serialize_func, callable $unserialize_func)
$serialize_func and $unserialize_func are:
$serialize_func = function(array $session_data_array) { // User can add/encrypt data in this function // Returning anything other than string raises E_RECOVERABLE_ERROR return serialize($session_data_array); // Must return string } $unserialize_func = function(string $session_data_string) { // User can remove/decrypt/validate data in this function // Returning anything other than array raises E_RECOVERABLE_ERROR return unserialize($session_data_string); // Must return array }
Add session serializer interface.
interface SessionSerializerInterface { function encode(array $session_data_array):string; function decode(string $serialized_session_data_string):array; }
session_set_serializer() accepts object implements SessionSerializerInterface.
bool session_set_serializer(SessionSerializerInterface $handler)
These functions/methods are called before reading/writing session data to session data database.
Please refer to the pull request phpt files for usage details.
Backward Incompatible Changes
None.
Proposed PHP Version(s)
Next PHP. Currently 7.2.
Future Scope
Current session modules OO user save handler uses internal save handler as its base object. This design caused many problems.
User defined session serializer can get rid of this design issue. There will be new and clean OO session save handler interface proposal. This RFC keeps extendability for new OO session save handler API.
Proposed Voting Choices
2/3 majority is required to pass.
Vote starts: 2016-12-05 Vote ends: 2016-12-19 UTC 23:59:59
Patches and Tests
Implementation
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
- a link to the language specification section (if any)
References
Links to external references, discussions or RFCs