Symfony 6 Certification New exam with updated questions 100% online Show your expertise

New in Symfony 3.4: session improvements

Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.

Sessions are one of the key elements for most web applications and there's an ongoing effort to improve them in Symfony. Meanwhile, in Symfony 3.4 we paved the way to future major improvements.

Safer and lazier sessions

Contributed by
Nicolas Grekas
in #24523.

PHP 7.0 introduced a new interface called SessionUpdateTimestampHandlerInterface. Few people know or use this interface because it's not even documented on the official PHP site. The interface defines just two methods, but they allow to prevent session fixation issues and lazy-write in session handlers:

interface SessionUpdateTimestampHandlerInterface
    // Checks if a session identifier already exists or not.
    public function validateId(string $key) : bool;

    // Updates the timestamp of a session when its data didn't change.
    public function updateTimestamp(string $key, string $val) : bool;

We added this interface to our PHP 7.0 Polyfill component and used it in a new AbstractSessionHandler base class and a new StrictSessionHandler wrapper. At the same time, we deprecated the WriteCheckSessionHandler, NativeSessionHandler and NativeProxy classes and the session.use_strict_mode option, which now will always be enabled by default.

Deprecated some session handlers

Contributed by
Tobias Schultze
in #24389 and #24443.

The memcache PECL extension hasn't released a version in more than 4 years and the latest release is not compatible with PHP 7. That's why we decided to deprecate MemcacheSessionHandler, which is also consistent with our decision to not support Memcache for the Cache and Lock components. Instead of this deprecated handler, you should use MemcachedSessionHandler, which is based on the Memcached PHP extension.

In addition, the DbalSessionHandler was also deprecated in favor of PdoSessionHandler because it lacks all the improvements introduced in the PdoSessionHandler (lock modes, delayed garbage collector, configurable naming, etc.) The only advantage it had was the ability to work with non-PDO drivers. However, given that DBAL now requires PDO as well, this is no longer relevant.

Help the Symfony project!

As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.


Thank you guys ! Great job !

Comments are closed.

To ensure that comments stay relevant, they are closed for old posts.