OpenPNE 3

sfConfig::set('sf_factory_storage_parameters', array_merge(array('database' => 'doctrine'), (array)$options, $params));

* Session handler using a PDO connection to read and write data.

* It works with MySQL, PostgreSQL, Oracle, SQL Server and SQLite and implements

* different locking strategies to handle concurrent access to the same session.

* Locking is necessary to prevent loss of data due to race conditions and to keep

* the session data consistent between read() and write(). With locking, requests

* for the same session will wait until the other one finished writing. For this

* reason it's best practice to close a session as early as possible to improve

* concurrency. PHPs internal files session handler also implements locking.

*

* Attention: Since SQLite does not support row level locks but locks the whole database,

* it means only one session can be accessed at a time. Even different sessions would wait

* for another to finish. So saving session in SQLite should only be considered for

* development or prototypes.

*

* Session data is a binary string that can contain non-printable characters like the null byte.

* For this reason it must be saved in a binary column in the database like BLOB in MySQL.

* Saving it in a character column could corrupt the data.

*

* @see http://php.net/sessionhandlerinterface

*

* @author Fabien Potencier <fabien@symfony.com>

* @author Michael Williams <michael.williams@funsational.com>

* @author Tobias Schultze <http://tobion.de>

* @author Shinichi Urabe <urabe@tejimaya.com>

/**

* No locking is done. This means sessions are prone to loss of data due to

* race conditions of concurrent requests to the same session. The last session

* write will win in this case. It might be useful when you implement your own

* logic to deal with this like an optimistic approach.

*/

const LOCK_NONE = 0;

/**

* Creates an application-level lock on a session. The disadvantage is that the

* lock is not enforced by the database and thus other, unaware parts of the

* application could still concurrently modify the session. The advantage is it

* does not require a transaction.

* This mode is not available for SQLite and not yet implemented for oci and sqlsrv.

*/

const LOCK_ADVISORY = 1;

/**

* Issues a real row lock. Since it uses a transaction between opening and

* closing a session, you have to be careful when you use same database connection

* that you also use for your application logic. This mode is the default because

* it's the only reliable solution across DBMSs.

*/

const LOCK_TRANSACTIONAL = 2;

/**

* @var string Database driver

*/

private $driver;

/**

* @var string Table name

*/

private $table = 'session';

/**

* @var string Column for session id

*/

private $idCol = 'id';

/**

* @var string Column for session data

*/

private $dataCol = 'session_data';

/**

* @var string Column for lifetime

*/

private $lifetimeCol = 'session_lifetime';

/**

* @var string Column for timestamp

*/

private $timeCol = 'time';

/**

* @var int The strategy for locking, see constants

*/

private $lockMode = self::LOCK_TRANSACTIONAL;

/**

* It's an array to support multiple reads before closing which is manual, non-standard usage.

*

* @var PDOStatement[] An array of statements to release advisory locks

*/

private $unlockStatements = array();

/**

* @var bool True when the current session exists but expired according to session.gc_maxlifetime

*/

private $sessionExpired = false;

/**

* @var bool Whether a transaction is active

*/

private $inTransaction = false;

/**

* @var bool Whether gc() has been called

*/

private $gcCalled = false;

/**

* Constructor.

*

* List of available options:

* * db_table: The name of the table [default: session]

* * db_id_col: The column where to store the session id [default: id]

* * db_data_col: The column where to store the session data [default: session_data]

* * db_time_col: The column where to store the timestamp [default: session_time]

* * db_lifetime_col: The column where to store the lifetime [default: session_lifetime]

* * lock_mode: The strategy for locking, see constants [default: LOCK_TRANSACTIONAL]

*

* @param array $options An associative array of options

*

* @throws InvalidArgumentException When PDO error mode is not PDO::ERRMODE_EXCEPTION

*/

public function initialize($options = array())

{

$this->table = isset($options['db_table']) ? $options['db_table'] : $this->table;

$this->idCol = isset($options['db_id_col']) ? $options['db_id_col'] : $this->idCol;

$this->dataCol = isset($options['db_data_col']) ? $options['db_data_col'] : $this->dataCol;

$this->timeCol = isset($options['db_time_col']) ? $options['db_time_col'] : $this->timeCol;

$this->lifetimeCol = isset($options['db_lifetime_col']) ? $options['db_lifetime_col'] : $this->lifetimeCol;

$this->lockMode = isset($options['lock_mode']) ? $options['lock_mode'] : $this->lockMode;

if (opDoctrineQuery::getMasterConnectionDirect()->getName() === $options['database'])

{

// Skip "lockmode' when session connection use master.

$this->lockMode = self::LOCK_NONE;

}

parent::initialize($options);

}

/**

* Returns true when the current session exists but expired according to session.gc_maxlifetime.

*

* Can be used to distinguish between a new session and one that expired due to inactivity.

*

* @return bool Whether current session expired

*/

public function isSessionExpired()

{

return $this->sessionExpired;

}

/**

* {@inheritdoc}

*/

public function sessionOpen($savePath, $sessionName)

$bool = parent::sessionOpen($savePath, $sessionName);

$this->driver = $this->db->getAttribute(PDO::ATTR_DRIVER_NAME);

return $bool;

}

/**

* {@inheritdoc}

*/

public function sessionRead($sessionId)

{

try

{

return $this->doRead($sessionId);

}

catch (PDOException $e)

{

$this->rollback();

throw $e;

}

}

/**

* {@inheritdoc}

*/

public function sessionGc($maxlifetime)

{

// We delay gc() to close() so that it is executed outside the transactional and blocking read-write process.

// This way, pruning expired sessions does not block them from being started while the current session is used.

$this->gcCalled = true;

return true;

}

/**

* {@inheritdoc}

*/

public function sessionDestroy($sessionId)

{

// delete the record associated with this id

$sql = "DELETE FROM $this->table WHERE $this->idCol = :id";

try

{

$stmt = $this->db->prepare($sql);

$stmt->bindParam(':id', $sessionId, PDO::PARAM_STR);

$stmt->execute();

}

catch (PDOException $e)

{

$this->rollback();

throw $e;

}

return true;

}

/**

* {@inheritdoc}

*/

public function sessionWrite($sessionId, $data)

{

$maxlifetime = (int) ini_get('session.gc_maxlifetime');

try

{

// We use a single MERGE SQL query when supported by the database.

$mergeSql = $this->getMergeSql();

if (null !== $mergeSql)

{

$mergeStmt = $this->db->prepare($mergeSql);

$mergeStmt->bindParam(':id', $sessionId, PDO::PARAM_STR);

$mergeStmt->bindParam(':data', $data, PDO::PARAM_LOB);

$mergeStmt->bindParam(':lifetime', $maxlifetime, PDO::PARAM_INT);

$mergeStmt->bindValue(':time', time(), PDO::PARAM_INT);

$mergeStmt->execute();

return true;

}

$updateStmt = $this->db->prepare(

"UPDATE $this->table SET $this->dataCol = :data, $this->lifetimeCol = :lifetime, $this->timeCol = :time WHERE $this->idCol = :id"

);

$updateStmt->bindParam(':id', $sessionId, PDO::PARAM_STR);

$updateStmt->bindParam(':data', $data, PDO::PARAM_LOB);

$updateStmt->bindParam(':lifetime', $maxlifetime, PDO::PARAM_INT);

$updateStmt->bindValue(':time', time(), PDO::PARAM_INT);

$updateStmt->execute();

// When MERGE is not supported, like in Postgres, we have to use this approach that can result in

// duplicate key errors when the same session is written simultaneously (given the LOCK_NONE behavior).

// We can just catch such an error and re-execute the update. This is similar to a serializable

// transaction with retry logic on serialization failures but without the overhead and without possible

// false positives due to longer gap locking.

if (!$updateStmt->rowCount())

{

try

{

$insertStmt = $this->db->prepare(

"INSERT INTO $this->table ($this->idCol, $this->dataCol, $this->lifetimeCol, $this->timeCol) VALUES (:id, :data, :lifetime, :time)"

);

$insertStmt->bindParam(':id', $sessionId, PDO::PARAM_STR);

$insertStmt->bindParam(':data', $data, PDO::PARAM_LOB);

$insertStmt->bindParam(':lifetime', $maxlifetime, PDO::PARAM_INT);

$insertStmt->bindValue(':time', time(), PDO::PARAM_INT);

$insertStmt->execute();

}

catch (PDOException $e)

{

// Handle integrity violation SQLSTATE 23000 (or a subclass like 23505 in Postgres) for duplicate keys

if (0 === strpos($e->getCode(), '23'))

{

$updateStmt->execute();

}

else

{

throw $e;

}

}

}

}

catch (PDOException $e)

{

$this->rollback();

throw $e;

}

return true;

}

/**

* {@inheritdoc}

*/

public function sessionClose()

{

$this->commit();

while ($unlockStmt = array_shift($this->unlockStatements))

{

$unlockStmt->execute();

}

if ($this->gcCalled)

{

$this->gcCalled = false;

// delete the session records that have expired

$sql = "DELETE FROM $this->table WHERE $this->lifetimeCol + $this->timeCol < :time";

$stmt = $this->db->prepare($sql);

$stmt->bindValue(':time', time(), PDO::PARAM_INT);

$stmt->execute();

}

return true;

}

/**

* Helper method to begin a transaction.

*

* Since SQLite does not support row level locks, we have to acquire a reserved lock

* on the database immediately. Because of https://bugs.php.net/42766 we have to create

* such a transaction manually which also means we cannot use PDO::commit or

* PDO::rollback or PDO::inTransaction for SQLite.

*

* Also MySQLs default isolation, REPEATABLE READ, causes deadlock for different sessions

* due to http://www.mysqlperformanceblog.com/2013/12/12/one-more-innodb-gap-lock-to-avoid/ .

* So we change it to READ COMMITTED.

*/

private function beginTransaction()

{

if (!$this->inTransaction)

{

if ('sqlite' === $this->driver)

{

$this->db->exec('BEGIN IMMEDIATE TRANSACTION');

}

else

{

if ('mysql' === $this->driver)

{

$this->db->exec('SET TRANSACTION ISOLATION LEVEL READ COMMITTED');

}

$this->db->beginTransaction();

}

$this->inTransaction = true;

}

}

/**

* Helper method to commit a transaction.

*/

private function commit()

{

if ($this->inTransaction)

{

try

{

// commit read-write transaction which also releases the lock

if ('sqlite' === $this->driver)

{

$this->db->exec('COMMIT');

}

else

{

$this->db->commit();

}

$this->inTransaction = false;

}

catch (PDOException $e)

{

$this->rollback();

throw $e;

}

}

}

/**

* Helper method to rollback a transaction.

*/

private function rollback()

{

// We only need to rollback if we are in a transaction. Otherwise the resulting

// error would hide the real problem why rollback was called. We might not be

// in a transaction when not using the transactional locking behavior or when

// two callbacks (e.g. destroy and write) are invoked that both fail.

if ($this->inTransaction)

{

if ('sqlite' === $this->driver)

{

$this->db->exec('ROLLBACK');

}

else

{

$this->db->rollBack();

}

$this->inTransaction = false;

}

}

/**

* Reads the session data in respect to the different locking strategies.

*

* We need to make sure we do not return session data that is already considered garbage according

* to the session.gc_maxlifetime setting because gc() is called after read() and only sometimes.

*

* @param string $sessionId Session ID

*

* @return string The session data

*/

private function doRead($sessionId)

{

$this->sessionExpired = false;

if (self::LOCK_ADVISORY === $this->lockMode)

{

$this->unlockStatements[] = $this->doAdvisoryLock($sessionId);

}

$selectSql = $this->getSelectSql();

$selectStmt = $this->db->prepare($selectSql);

$selectStmt->bindParam(':id', $sessionId, PDO::PARAM_STR);

$selectStmt->execute();

$sessionRows = $selectStmt->fetchAll(PDO::FETCH_NUM);

if ($sessionRows)

{

if ($sessionRows[0][1] + $sessionRows[0][2] < time())

{

$this->sessionExpired = true;

return '';

}

return is_resource($sessionRows[0][0]) ? stream_get_contents($sessionRows[0][0]) : $sessionRows[0][0];

}

if (self::LOCK_TRANSACTIONAL === $this->lockMode && 'sqlite' !== $this->driver)

{

// Exclusive-reading of non-existent rows does not block, so we need to do an insert to block

// until other connections to the session are committed.

try

{

$insertStmt = $this->db->prepare(

"INSERT INTO $this->table ($this->idCol, $this->dataCol, $this->lifetimeCol, $this->timeCol) VALUES (:id, :data, :lifetime, :time)"

);

$insertStmt->bindParam(':id', $sessionId, PDO::PARAM_STR);

$insertStmt->bindValue(':data', '', PDO::PARAM_LOB);

$insertStmt->bindValue(':lifetime', 0, PDO::PARAM_INT);

$insertStmt->bindValue(':time', time(), PDO::PARAM_INT);

$insertStmt->execute();

}

catch (PDOException $e)

{

// Catch duplicate key error because other connection created the session already.

// It would only not be the case when the other connection destroyed the session.

if (0 === strpos($e->getCode(), '23'))

{

// Retrieve finished session data written by concurrent connection. SELECT

// FOR UPDATE is necessary to avoid deadlock of connection that starts reading

// before we write (transform intention to real lock).

$selectStmt->execute();

$sessionRows = $selectStmt->fetchAll(PDO::FETCH_NUM);

if ($sessionRows)

{

return is_resource($sessionRows[0][0]) ? stream_get_contents($sessionRows[0][0]) : $sessionRows[0][0];

}

return '';

}

throw $e;

}

}

return '';

}

/**

* Executes an application-level lock on the database.

*

* @param string $sessionId Session ID

*

* @return PDOStatement The statement that needs to be executed later to release the lock

*

* @throws DomainException When an unsupported PDO driver is used

*

* @todo implement missing advisory locks

* - for oci using DBMS_LOCK.REQUEST

* - for sqlsrv using sp_getapplock with LockOwner = Session

*/

private function doAdvisoryLock($sessionId)

{

switch ($this->driver)

{

case 'mysql':

// should we handle the return value? 0 on timeout, null on error

// we use a timeout of 50 seconds which is also the default for innodb_lock_wait_timeout

$stmt = $this->db->prepare('SELECT GET_LOCK(:key, 50)');

$stmt->bindValue(':key', $sessionId, PDO::PARAM_STR);

$stmt->execute();

$releaseStmt = $this->db->prepare('DO RELEASE_LOCK(:key)');

$releaseStmt->bindValue(':key', $sessionId, PDO::PARAM_STR);

return $releaseStmt;

case 'pgsql':

// Obtaining an exclusive session level advisory lock requires an integer key.

// So we convert the HEX representation of the session id to an integer.

// Since integers are signed, we have to skip one hex char to fit in the range.

if (4 === PHP_INT_SIZE)

{

$sessionInt1 = hexdec(substr($sessionId, 0, 7));

$sessionInt2 = hexdec(substr($sessionId, 7, 7));

$stmt = $this->db->prepare('SELECT pg_advisory_lock(:key1, :key2)');

$stmt->bindValue(':key1', $sessionInt1, PDO::PARAM_INT);

$stmt->bindValue(':key2', $sessionInt2, PDO::PARAM_INT);

$stmt->execute();

$releaseStmt = $this->db->prepare('SELECT pg_advisory_unlock(:key1, :key2)');

$releaseStmt->bindValue(':key1', $sessionInt1, PDO::PARAM_INT);

$releaseStmt->bindValue(':key2', $sessionInt2, PDO::PARAM_INT);

}

else

{

$sessionBigInt = hexdec(substr($sessionId, 0, 15));

$stmt = $this->db->prepare('SELECT pg_advisory_lock(:key)');

$stmt->bindValue(':key', $sessionBigInt, PDO::PARAM_INT);

$stmt->execute();

$releaseStmt = $this->db->prepare('SELECT pg_advisory_unlock(:key)');

$releaseStmt->bindValue(':key', $sessionBigInt, PDO::PARAM_INT);

}

return $releaseStmt;

case 'sqlite':

throw new DomainException('SQLite does not support advisory locks.');

default:

throw new DomainException(sprintf('Advisory locks are currently not implemented for PDO driver "%s".', $this->driver));

}

}

/**

* Return a locking or nonlocking SQL query to read session information.

*

* @return string The SQL string

*

* @throws DomainException When an unsupported PDO driver is used

*/

private function getSelectSql()

{

if (self::LOCK_TRANSACTIONAL === $this->lockMode)

{

$this->beginTransaction();

switch ($this->driver)

{

case 'mysql':

case 'oci':

case 'pgsql':

return "SELECT $this->dataCol, $this->lifetimeCol, $this->timeCol FROM $this->table WHERE $this->idCol = :id FOR UPDATE";

case 'sqlsrv':

return "SELECT $this->dataCol, $this->lifetimeCol, $this->timeCol FROM $this->table WITH (UPDLOCK, ROWLOCK) WHERE $this->idCol = :id";

case 'sqlite':

// we already locked when starting transaction

break;

default:

throw new DomainException(sprintf('Transactional locks are currently not implemented for PDO driver "%s".', $this->driver));

}

}

return "SELECT $this->dataCol, $this->lifetimeCol, $this->timeCol FROM $this->table WHERE $this->idCol = :id";

}

/**

* Returns a merge/upsert (i.e. insert or update) SQL query when supported by the database for writing session data.

*

* @return string|null The SQL string or null when not supported

*/

private function getMergeSql()

{

switch ($this->driver)

{

case 'mysql':

return "INSERT INTO $this->table ($this->idCol, $this->dataCol, $this->lifetimeCol, $this->timeCol) VALUES (:id, :data, :lifetime, :time) ".

"ON DUPLICATE KEY UPDATE $this->dataCol = VALUES($this->dataCol), $this->lifetimeCol = VALUES($this->lifetimeCol), $this->timeCol = VALUES($this->timeCol)";

case 'oci':

// DUAL is Oracle specific dummy table

return "MERGE INTO $this->table USING DUAL ON ($this->idCol = :id) ".

"WHEN NOT MATCHED THEN INSERT ($this->idCol, $this->dataCol, $this->lifetimeCol, $this->timeCol) VALUES (:id, :data, :lifetime, :time) ".

"WHEN MATCHED THEN UPDATE SET $this->dataCol = :data, $this->lifetimeCol = :lifetime, $this->timeCol = :time";

case 'sqlsrv' === $this->driver && version_compare($this->db->getAttribute(PDO::ATTR_SERVER_VERSION), '10', '>='):

// MERGE is only available since SQL Server 2008 and must be terminated by semicolon

// It also requires HOLDLOCK according to http://weblogs.sqlteam.com/dang/archive/2009/01/31/UPSERT-Race-Condition-With-MERGE.aspx

return "MERGE INTO $this->table WITH (HOLDLOCK) USING (SELECT 1 AS dummy) AS src ON ($this->idCol = :id) ".

"WHEN NOT MATCHED THEN INSERT ($this->idCol, $this->dataCol, $this->lifetimeCol, $this->timeCol) VALUES (:id, :data, :lifetime, :time) ".

"WHEN MATCHED THEN UPDATE SET $this->dataCol = :data, $this->lifetimeCol = :lifetime, $this->timeCol = :time;";

case 'sqlite':

return "INSERT OR REPLACE INTO $this->table ($this->idCol, $this->dataCol, $this->lifetimeCol, $this->timeCol) VALUES (:id, :data, :lifetime, :time)";

}