I'm not sure it has any influence but just for some context, the application powered by a roadrunner server. Cookie payload is extracted at event loop and the session's cookies are computed just while reading response headers into the roadrunner psr response object.
So, the issue proper:
Yesterday, while testing session functionality, I observed that desired content was getting written to the session, but unfortunately wasn't getting picked up after what should be a redirect flow i.e. GET->POST->GET (session data gets lost here). Further debugging got me into the current state I need an extra pair of eyes on. The session file is no longer written to anywhere!
I have checked C:\wamp64\tmp but the sess_cookie-name is not there. I have tried using ini_set, session_save_path and the save_path key, all to no avail. I've restarted the server and my system. Strangely enough, another file gets written to the configured directories after each request. But since it doesn't bear the name of the cookie sent/supposed session id, it just keeps creating new ones, thereby defeating the aim of data persistence. This is the class controlling session:
namespace Suphle\Adapters\Session;
use Suphle\Contracts\IO\{EnvAccessor, Session as SessionContract};
use Suphle\Services\Decorators\BindsAsSingleton;
#[BindsAsSingleton(SessionContract::class)]
class NativeSession implements SessionContract
{
public const FLASH_KEY = "_flash_entry",
DEFAULT_SESSION_KEY = "suphle";
protected string $sessionId = "";
public function __construct(protected readonly EnvAccessor $envAccessor)
{
$this->safeToStart();
}
/**
* Avoid "session already started" errors. The superglobal must wait for this to be called before it can be accessed. Otherwise, all data from preceding request will be lost
*/
protected function safeToStart(array $sessionOptions = []): void
{ // redesign this to receive external input instead of being called from the constructor?
$isSafe = session_status() == PHP_SESSION_NONE // sessions are enabled but none exists
&& !headers_sent();
if (!$isSafe) return;
session_id($this->getSessionId());
session_start(array_merge(["save_path" => __DIR__ . "/sxc", // remove
/*"use_cookies" => 0,
"use_only_cookies" => 1,*/
"use_strict_mode" => 1
], $sessionOptions));var_dump($this->getSessionId(), $_SESSION, $_COOKIE);
}
protected function getSessionId ():string {
if (!empty($this->sessionId)) return $this->sessionId;
return $this->sessionId = $_COOKIE[self::DEFAULT_SESSION_KEY] ??
session_create_id();
}
public function getCookieData ():string {
return implode("", [
self::DEFAULT_SESSION_KEY. "=". $this->getSessionId(). ";",
"path=/; HttpOnly;",
"Max-Age=". $this->envAccessor->getField("SESSION_DURATION"). ";"
]);
}
public function setValue(string $key, $value): void
{
$_SESSION[$key] = $value;
session_write_close(); // moves data from memory to file and saves
}
public function getValue(string $key)
{
return $_SESSION[$key];
}
public function allSessionEntries(): array
{
return $_SESSION;
}
public function getOldInput(string $key)
{
return $this->getValue(self::FLASH_KEY)[$key];
}
public function setFlashValue(string $key, $value): void
{
if (!$this->hasKey(self::FLASH_KEY)) {
$this->resetOldInput();
}
$flash = $this->getValue(self::FLASH_KEY);
$flash[$key] = $value;
$this->setValue(self::FLASH_KEY, $flash);
}
public function hasKey(string $key): bool
{
return array_key_exists($key, $_SESSION);
}
public function hasOldInput(string $key): bool
{
return $this->hasKey(self::FLASH_KEY) &&
array_key_exists($key, $this->getValue(self::FLASH_KEY));
}
public function resetOldInput(): void
{
$this->setValue(self::FLASH_KEY, []);
}
public function reset(): void
{
$_SESSION = [];
session_destroy();
}
}
The question is who could the culprit be? Where is it manufacturing that weird cookie value from? Mind you, the isSafe block never runs