fix(session): guard session_destroy() when no active PHP session#162
Merged
Conversation
Horde_Session initializes $_SESSION to [] in its constructor before session_start() runs. SessionLifecycle::destroy() and the legacy Horde_Session::destroy() fallback used isset($_SESSION) as the guard, which is always true once the shim is constructed. That caused repeated PHP warnings: session_destroy(): Trying to destroy uninitialized session Replace the isset($_SESSION) check with session_status() === PHP_SESSION_ACTIVE. SessionLifecycle also consults $this->active so the normal lifecycle path remains covered when the local flag is authoritative.
Member
|
Great, thank you! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Session destroy guard fix
Conventional commit message
Pull request
Title
fix(session): guard session_destroy() when no active PHP sessionBody
Summary
SessionLifecycle::destroy()orHorde_Session::destroy()runs without an active PHP session (e.g. logout/auth cleanup beforesession_start(), orprocessFlags()handling a pending destroy marker).isset($_SESSION)withsession_status() === PHP_SESSION_ACTIVEas the guard before callingsession_destroy().SessionLifecycle::destroy(), also check$this->activeso the lifecycle’s tracked state remains the primary gate on the normal code path.Problem
Horde_Session::__construct()ensures$_SESSIONexists as an empty array even when PHP’s session module has not been started:Both destroy paths previously guarded
session_destroy()withisset($_SESSION), which is true in that situation. PHP 8+ then emits:This showed up repeatedly in Horde logs during logout and other auth-cleanup flows.
Changes
src/Session/SessionLifecycle.phpsession_destroy()with$this->active || session_status() === PHP_SESSION_ACTIVElib/Horde/Session.phpsession_destroy()withsession_status() === PHP_SESSION_ACTIVENon-destructive cleanup (
$_SESSION = [], rebuildHordeSession, clear secrets/lifecycle flags) is unchanged and still runs when no PHP session is active.Test plan
session_destroy(): Trying to destroy uninitialized sessionwarnings in the Horde log.$destroy = true— no warnings.SessionLifecycleTestunit suite passes (vendor/bin/phpunit test/Unit/Session/SessionLifecycleTest.php).