PHPackages                             aliene/phalcon-session-redis - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Database &amp; ORM](/categories/database)
4. /
5. aliene/phalcon-session-redis

ActiveLibrary[Database &amp; ORM](/categories/database)

aliene/phalcon-session-redis
============================

An alternative Redis session handler for Phalcon PHP

v0.1.1(7y ago)016MITPHPPHP &gt;=5.6

Since Jul 5Pushed 7y ago1 watchersCompare

[ Source](https://github.com/ianbrind/PhalconSessionRedis)[ Packagist](https://packagist.org/packages/aliene/phalcon-session-redis)[ RSS](/packages/aliene-phalcon-session-redis/feed)WikiDiscussions master Synced yesterday

READMEChangelog (2)Dependencies (2)Versions (3)Used By (0)

RedisSessionHandler
===================

[](#redissessionhandler)

[![Build Status](https://camo.githubusercontent.com/55093a8c11ded7a06f8d53ae1d82d7bc2d689f16c5bcdc3ecc16270b6e96d916/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f69616e6272696e642f506861636f6e53657373696f6e52656469732f6261646765732f6275696c642e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/ianbrind/PhalconSessionRedis/build-status/master) [![Scrutinizer Code Quality](https://camo.githubusercontent.com/7ee6852d13ed5c73e59c778816a4f6c4bd3e3cd15b1e6f3d53cbf986622dc64c/68747470733a2f2f7363727574696e697a65722d63692e636f6d2f672f69616e6272696e642f5068616c636f6e53657373696f6e52656469732f6261646765732f7175616c6974792d73636f72652e706e673f623d6d6173746572)](https://scrutinizer-ci.com/g/ianbrind/PhalconRessionRedis/?branch=master) [![Latest Stable Version](https://camo.githubusercontent.com/0704d8112fb814750bc84228a50ee947fad7d396ff44b9bd059235de348394bf/68747470733a2f2f706f7365722e707567782e6f72672f616c69656e652f7068616c636f6e2d73657373696f6e2d72656469732f762f737461626c65)](https://packagist.org/packages/aliene/phalcon-session-redis) [![Monthly Downloads](https://camo.githubusercontent.com/07452f7d225bc021591b5a974ba3af4211964f21daf8b2fed6cb7befa152a38d/68747470733a2f2f706f7365722e707567782e6f72672f616c69656e652f7068616c636f6e2d73657373696f6e2d72656469732f642f6d6f6e74686c79)](https://packagist.org/packages/aliene/phalcon-session-redis)

An alternative Redis session handler for Phalcon PHP featuring session locking and session fixation protection.

Installation
------------

[](#installation)

PhalconSessionRedis requires PHP &gt;=5.6 with the phpredis extension enabled and a Redis &gt;=2.6 endpoint. Add [`aliene/phalcon-session-redis`](https://packagist.org/packages/aliene/phalcon-session-redis) to the `composer.json` file:

```
$ composer require aliene/phalcon-session-redis

```

Example
-------

[](#example)

```
// services.php

require_once __DIR__ . '/../vendor/autoload.php';

$di->set("session", function() {
    $session = new \Aliene\Phalcon\Session\Redis([
        "host" => "localhost",
        "auth" => "password",
        "lifetime" => 3600 // ttl 1 hour
    ]);

    $session->start();
});
```

Available options:

- `host` (string) default `"localhost"`
- `port` (int) default `6379`
- `lifetime` (int), default `3600`, The session lifetime (ttl)
- `prefix` (string), default `'SESSIONS:'`
- `auth` (string), default `null`
- `database` (int), default `0`

Currently only a single host definition is supported.

Known Caveats
-------------

[](#known-caveats)

### Using PhalconSessionRedis with the `max_execution_time` directive set to `0` is not recommended

[](#using-phalconsessionredis-with-the-max_execution_time-directive-set-to-0-is-not-recommended)

Whenever it can, the handler uses the `max_execution_time` directive as a hard timeout for the session lock. This is a last resort mechanism to release the session lock even if the PHP process crashes and the handler fails to do it itself.

When `max_execution_time` is set to `0` (meaning there is no maximum execution time) this kind of hard timeout cannot be used, as the lock must be kept for as long as it takes to run the script, which is an unknown amount of time. This means that if for some unexpected reason the PHP process crashes and the handler fails to release the lock there would be no safety net and you'd end up with a dangling lock that you'd have to detect and purge by other means.

So when using PhalconSessionRedis it is advised *not* to disable `max_execution_time`.

### PhalconRessionRedis does not support `session.use_trans_sid=1` nor `session.use_cookies=0`

[](#phalconressionredis-does-not-support-sessionuse_trans_sid1-nor-sessionuse_cookies0)

When these directives are set this way PHP switches from using cookies to passing the session ID around as a query param.

PhalconSessionRedis cannot work in this mode. *This is by design*.

### PhalconSessionRedis ignores the `session.use_strict_mode` directive

[](#phalconsessionredis-ignores-the-sessionuse_strict_mode-directive)

Because running PHP with strict mode disabled (which is the default!) does not make any sense whatsoever. PhalconSessionRedis only works in strict mode. The *Session fixation* section of this README explains what that means.

Motivation
----------

[](#motivation)

The Redis session handler bundled with [phpredis](https://github.com/phpredis/phpredis) has had a couple of rather serious bugs for years, namely the [lack of per-session locking](https://github.com/phpredis/phpredis/issues/37) and the [impossibility to protect against session fixation attacks](https://github.com/phpredis/phpredis/issues/1033).

This package provides a compatible session handler built on top of the Redis extension that is not affected by these issues.

### Session Locking explained

[](#session-locking-explained)

In the context of PHP, "session locking" means that when multiple requests with the same session ID hit the server roughly at the same time, only one gets to run while the others get stuck waiting inside `session_start()`. Only when that first request finishes or explicitly runs [`session_write_close()`](http://php.net/manual/en/function.session-write-close.php), one of the others can move on.

When a session handler does not implement session locking concurrency bugs might start to surface under heavy traffic. I'll demonstrate the problem using the default phpredis handler and this simple script:

```