auto session start #1097
auto session start #1097
Conversation
Start automatically when the session is initialized. Why is it a separate $session->start()? auto start is not ok? Before: $session = session()->start(); After: $session = session(); Before: $session = \Config\Services::session($config); $session->start(); After: $session = \Config\Services::session($config);
Start automatically when the session is initialized.
|
I wasn't involved in the original architecture of the session stuff, I just ported it over. Looking over the main session class I can't see why we shouldn't do this. However, you should put a check within the |
|
if sessions are enabled, but none exists. start() method will be executed. Please confirm the |
True - assuming everyone plays by the rules. :) Someone can still call |
|
OK.I understand. |
Start automatically when the session is initialized.
|
@lonnieezell |
https://bcit-ci.github.io/CodeIgniter4/database/model.html#deleting-data An array of primary keys can be passed in as the first parameter to delete multiple records at once: `$userModel->delete([1,2,3]);`
|
@lonnieezell |
|
@bangbangda Your PR has conflicts that need to be resolved, before travis-ci can be run, and without considering whether or not it is a good idea to auto-start sessions. |
|
@bangbangda You merged in changes to the Model class that are already in core. Those should not be part of this, please remove. |
Update code
|
@lonnieezell yes.deletion is complete. |
|
Thanks works for me, Thanks @bangbangda |
|
Although I just realized this might wreak havoc on testing... but we'll work that out since session tests already broken. |
|
Hmmm - I remember a similar PR for CI3, and Andrey argued strongly against auto-starting sessions. Don't remember the reasoning. I haven't taken a look at the PR, but I trust that any auto-starting is a configurable option. |
|
From what I recall of Andrey's reasoning - autostarting the session on every page load could lead to DOS attacks from the sheer number of session being created and some other related security type issues. Completely agree with those. What this PR does, though, is to start the session the first time you request it, instead of asking you to do session->start() immediately afterword. I think it should be fine, as I can't think of any additional actions you'd take with the session library before it's started, and none of the methods in the Session class seemed to provide any benefit prior. Unless you can think of any issues with that? |
|
It might work fine, then. A DOS attack could be averted through a Throttle filter :-/
…________________________________________
From: Lonnie Ezell [notifications@github.com]
Sent: Friday, July 27, 2018 9:57 PM
To: bcit-ci/CodeIgniter4
Cc: James Parry; Comment
Subject: Re: [bcit-ci/CodeIgniter4] auto session start (#1097)
From what I recall of Andrey's reasoning - autostarting the session on every page load could lead to DOS attacks from the sheer number of session being created and some other related security type issues. Completely agree with those.
What this PR does, though, is to start the session the first time you request it, instead of asking you to do session->start() immediately afterword. I think it should be fine, as I can't think of any additional actions you'd take with the session library before it's started, and none of the methods in the Session class seemed to provide any benefit prior.
Unless you can think of any issues with that?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#1097 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADDjb0Skn9MtNb3QB1U9U9d2A0nhFNq7ks5uK-9PgaJpZM4VH6tc>.
|
Start automatically when the session is initialized.
Why is it a separate $session->start() ?
Before:
$session = session()->start();
After:
$session = session();
Before:
$session = \Config\Services::session($config);
$session->start();
After:
$session = \Config\Services::session($config);