User Session Serializer

[yohgaki]

This PR is to add user defined session serializer.
User defined session serializer can be used

• to encrypt/decrypt session data
• to serialize session data as JSON/XML/etc
• to add hidden management data for session

This PR is required for deprecating current OO style session save handler and implement new OO style session save handler that does not have any base class. i.e. Do not create and use currently used internal save handler as base class. This will eliminate many kinds of session save handler abuses.

[php-pulls]

Comment on behalf of krakjoe at php.net:

labelling

[krakjoe]

When this is ready for discussion, please squash the commits and use a sensible log message ... the log is very noisy ...

[mfn]

Why should the feature for user defined serialized affect the return value of this method?

[yohgaki]

It must return NULL because perse parameter is failing. Not sure why older code produces bool(false). I'll check it later.

[krakjoe]

The RFC was declined, closing.

[nolimitdev]

Reason for this PR is mentioned by yohgaki here: https://gist.github.com/yohgaki/432579e535ae97856a1227e4d47d0e2e
But I think we do not have to use serialize() and unserialize() to store JSON in session file. See my solution...

class MyHandler extends SessionHandler {

    function read($session_id) {
        $content = parent::read($session_id);
        if (!empty($content) && ($json_decode = json_decode($content, true)) !== null) {
            $_SESSION = $json_decode;
            return '';
        }

        return $content;
    }

    function write($session_id, $session_data) {
        if (empty($_SESSION) || ($json_encode = json_encode($_SESSION, JSON_UNESCAPED_UNICODE)) === false) {
            $json_encode = '';
        }

        return parent::write($session_id, $json_encode);
    }
}

Advantages of this solution:

• no overhead using serialize() and unserialize() as in https://gist.github.com/yohgaki/432579e535ae97856a1227e4d47d0e2e
• independent on session.serialize_handler ("php_serialize" is not required because of omitting serialize and unserialize... "php_serialize" is not available before PHP 5.5.4)
• when using internal "php" (not compatible with serialize and unserialize functions) as session.serialize_handler we can use special characters (| and !) in indexes of $_SESSION
• deploying this code first time on production will not break existing sessions (thanks to return $content when decoding as JSON fails)

... so I do not thing that something like suggested session_set_save_handler() is needed

[yohgaki]

@nolimitdev
You didn't realize that session module ALWAYS serialize by current serializer.

Therefore, your code simply don't optimize anything without user defined serializer.

[yohgaki]

Anyway, hacks are not good way for solutions.
Modularized approach is better always.

[yohgaki]

@nolimitdev I read your code again. You should read session.c before comment.