Am 26.05.2013 17:59, schrieb Thomas Bruederli:
Second, there are reasons that Roundcube comes with a custom session handler and those are still valid. We didn't do this just for fun, believe me!
i did not say this, but they are not relevant in all setups
The main reason are concurrent http request which alter session data. Image the following scenario:
A) [r]----------- big file being uploaded ------------[w] B) [r]----- fast upload ----[w]
In PHP, session data is read when the process starts and written when the process ends. With the scenario from above, the session changes of request B) would be lost when A) finishes. Until now I don't know of any solution with default PHP session handlers that would be able to handle such a case properly
and that is why session-files are locked
well, you could came now again with performance but i am developing long enough wep-applications with real load to not see why RC is special
Another more performance related reason for you custom handler is the check if session data actually changed before issuing a (useless) update query
without the custom handler there would be no db query at all
Sure, we could store file upload information somewhere else than in session but the underlying problem of concurrent requests overlapping each others still persists and can happen in other cases, too
if it comes to integrity it is a *bad idea* write *lockless* in sessiondata which does not happen in the default handler
@Harald, could you run Roundcube on a PHP5.4 without Suhosin to rule that out first?
it is the combination of Suhosin and PHP 5.4
but since my main-job is php-developer and all applications i developed and maintain except RC are working in the test-setups and on all of the developer-machines i have zero understanding for *one* app which does not and there are much more critical things like a webmail client which is nice-to-have but not more if it comes to business users
** give us a option to NOT touch any session setting **
P.S. we can but for the just explained reasons your Roundcube users will complain about lost attachments and other weird behavior
why does this need a *custom* session handler? sorry - no, zero understanding