Jordi Boggiano
@seldaek


Beware of session locking

Sessions

User data, authentication, workflows, ...

Sessions Lock

Raw PHP

session_start();
    => locked
// .. do things here
session_write_close();
    => unlocked

Frameworks

Request comes in
Is there a user?
    => locked
// .. do things here
End of request
    => unlocked

Let's run some tests

<html>
<script>
    for (var i=0; i<20; i++) {
        fetch('/favicon.ico', {credentials: 'include'});
    }
</script>
</html>
                

/favicon.ico

Let's run some tests

<?php

session_start();
$_SESSION['test'] = time();

sleep(2);
echo 'Done';

?>
                

/test.php

Let's run some more tests

<?php

session_start();
$_SESSION['test'] = time();

session_write_close();

sleep(2);
echo 'Done';

?>
                

/test_session_close.php

Close the session ASAP!

// native
session_write_close();

// symfony2
$request->getSession()->save();

// zf2
$sessionManager->writeClose();
                

That is all.

Questions?

@seldaek

slides.seld.be