refactor(session): reshape Horde_Session as shim over modern PSR-4 stack#135
Merged
Conversation
Horde_Session now delegates to Horde\Core\Session\HordeSession for data storage and to Horde\Token\Token for CSRF tokens. setup() installs the modern Horde\SessionHandler\SessionHandler via session_set_save_handler. Legacy public API and $GLOBALS['session'] are preserved. Horde_Pack wire format kept for ENCRYPT/TYPE_ARRAY/TYPE_OBJECT masks so existing on-disk sessions continue to decode. _mirrorToSession() syncs the modern payload into $_SESSION before shutdown. Token service resolved lazily to avoid a circular DI dependency. checkToken rethrows as Horde_Exception for legacy callers. Constructor args are all optional with a no-injector fallback for legacy tests. setup() drops the dead use_only_cookies=0 branch and expands the FQDN mismatch message to name localhost. Refs #131
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Horde_Session now delegates to
Horde\Core\Session\HordeSessionfor data storage and toHorde\Token\Tokenfor CSRF tokens.setup()installs the modernHorde\SessionHandler\SessionHandlerviasession_set_save_handler.The legacy public API and
$GLOBALS['session']global are preserved.Horde_Packwire format is kept forENCRYPT/TYPE_ARRAY/TYPE_OBJECTmasks so existing on-disk sessions continue to decode. A_mirrorToSession()helper syncs the modern payload into$_SESSIONbefore shutdown / destroy so PHP's save handler writes the up-to-date data.Token service resolution is lazy to avoid a circular DI dependency at construction time (
TokenServiceFactory::create()reads$GLOBALS['session'], which is the shim itself).checkTokenrethrows asHorde_Exception('Invalid token!')so existing call sites that catchHorde_Exceptionkeep working.Constructor args are all optional with a no-injector fallback so legacy tests that do
new Horde_Session()(e.g.Horde_Test_Factory_Session,NlsconfigTest) continue to work.setup()drops the deaduse_only_cookies = 0branch (URL-based sessions are not used) and keeps the FQDN check with an expanded message that names localhost as the typical pitfall.Token semantics change
Legacy
$session->getToken()returned a stable per-session random id stored in$_SESSION['horde']['session_token']. After this change, tokens are HMAC-signed viaHorde\Token\Tokenand are NOT stable across calls within a session. All known framework + app call sites round-trip the token (emit, POST, verify), so the change is safe. Two cache-key consumers in Core (Horde_Core_Cache_Session,Horde_Core_HashTable_PersistentSession) already moved tosha1(session_id())in anticipation of this cutover.Standalone
This PR is self-sufficient. No accompanying changes in
horde/baseor apps are required. The shim preserves every legacy entry point (get/set/exists/remove/getToken/checkToken/getNonce/setup/start/close/destroy/clean/isActive).Follow-ups (separate PRs)
Horde_Registrysession bootstrap now that the shim does the heavy lifting.bin/horde-sessions-gcandbin/horde-active-sessionstoHorde\SessionHandler\SessionAdministrator; remove the legacyHorde_Core_Factory_SessionHandler.$_SESSIONaccess sites (base/src/Service/AuthenticationService.php,base/src/Auth/ResponsiveLoginController.php,base/src/Portal/ResponsivePortalController.php,turba/lib/Turba.php) to injectHordeSession.Refs #131