Respect ini session.use_strict_mode

[rhertogh]

Q	A
Is bugfix?	❌
New feature?	✔️
Breaks BC?	✔️/❌ Only if Session::openSession() and/or Session::writeSession() are overwritten.
Tests pass?	✔️
Fixed issues	#18061

Implements support for session.use_strict_mode by the Yii2 Session handler.
When a session is started with a non existing session id a new id will be generated. This imitates the behavior for the session_set_save_handler validate_sid param (which requires PHP >= 7.0).
The session will only be stored under the newly generated id.

To Do's to fully implement:

• Test behavior of native storage: Yii2 implementation doesn't seem to interfere with native storage behavior.
• Implement checks on all custom storage classes
  • yii\web\CacheSession
  • yii\web\DbSession
  • yii\redis\Session (yiisoft/yii2-redis#212)
  • yii\mongodb\Session (yiisoft/yii2-mongodb#319)
• Add tests
• Add steps to upgrade.md

[samdark]

👍

Test behavior of native storage
Implement checks on all custom storage classes
Add tests
Add steps to upgrade.md

Good plan.

[rhertogh]

@samdark If this PR is approved I'll also implement the useStrictMode for Redis and MongoDB. Those were the ones I could come up with, are there other extensions extending Session?

[rhertogh]

The failing of the tests seem to have something to do with https://www.leaseweb.com/labs/2012/08/ps_files_cleanup_dir-permission-denied/
I've tried to implement a workaround (cd8c0e3) but with no success. Locally the tests run fine (Centos 7 PHP 7.3) any ideas how to fix this on the Github build environment?

[rhertogh]

Found the problem. In the Github action, phpunit runs under the 'runner' user (locally it's under the 'root' user).
Setting the session.save_path ini directive to the 'runner' temp directory solves the problem.

[rhertogh]

@samdark

Also it's not clear why PHP 5.4 fails tests. It may be not related but I'm not sure...

That's indeed something I also haven't figured out yet. It looks like the session table isn't correctly created during the setUp(). But why this would fail on 5.4 is still a mystery.

[rhertogh]

@samdark

Implementations for redis and mongo are needed.

Redis (yiisoft/yii2-redis#212) and MongoDB (yiisoft/yii2-mongodb#319) pull requests are created. Their build fails at the moment because they require this unreleased Yii2 version.
My suggestion would be to merge this PR in master and tag it as 2.0.38-alpha. Another option would be to merge this PR to a dedicated branch in the Yii2 repository. In both cases those pull requests could temporarily depend on it.

[rhertogh]

@samdark I've found the reason why the PHP 5.4 build failed, session.use-strict-mode is only available since PHP 5.5.2.
As a workaround I've implemented a polyfill to support the custom storage classes.

[rhertogh]

@samdark #18061 (comment)

code seems to be good, I need to think more about how to release it with least issues possible.

Perhaps I was to strict with my answer in the "Breaks BC?" question in the opening post. At the moment I don't see any way it would break existing installations. The only thing is that this option won't work if Session::openSession() and/or Session::writeSession() are overwritten.
So I'm not sure if it really counts as a BC change?

[samdark]

So I'm not sure if it really counts as a BC change?

Likely it's fine. I've moved MongoDB to GitHub actions and is now ready to continue with the PR.

[rhertogh]

I've moved MongoDB to GitHub actions and is not ready to continue with the PR.

If you mean that the build fails? That's because it depends on this PR to be released first. Currently it depends on a Yii version that does not yet include the required changes in framework/web/Session.php

[samdark]

I've meant "now". That was an interesting typo :)

[rhertogh]

@samdark When validating the PR I encountered an error in the UPGRADE.md since there has been a new release since the original PR. I've created PR #18362 to fix it.