October 27, 2017 Javier Eguiluz

Sessions are one of the key elements for most web applications and there's an ongoing effort to improve them in Symfony. Meanwhile, in Symfony 3.4 we paved the way to future major improvements.

Safer and lazier sessions¶ Contributed by

Nicolas Grekas

in #24523. PHP 7.0 introduced a new interface called SessionUpdateTimestampHandlerInterface . Few people know or use this interface because it's not even documented on the official PHP site. The interface defines just two methods, but they allow to prevent session fixation issues and lazy-write in session handlers: 1 2 3 4 5 6 7 8 interface SessionUpdateTimestampHandlerInterface { // Checks if a session identifier already exists or not. public function validateId ( string $key ) : bool ; // Updates the timestamp of a session when its data didn't change. public function updateTimestamp ( string $key , string $val ) : bool ; } We added this interface to our PHP 7.0 Polyfill component and used it in a new AbstractSessionHandler base class and a new StrictSessionHandler wrapper. At the same time, we deprecated the WriteCheckSessionHandler , NativeSessionHandler and NativeProxy classes and the session.use_strict_mode option, which now will always be enabled by default.