Intercepting active session?

[pine3ree]

Since I had to work on a similar issue (even if not a zx project) I would like to know other developers' opinion about this.

We could encounter cases when we want to use zx-session + zx-session-ext, but we already have an active session started by a 3rd-party middleware layer (we are using a lazy session implementation) or by an upper-level pipeline (nested apps).

In the worst of cases, we may also have some prepared session-related headers: what should we do?

• Should this package be able to handle these edge cases and intercept active sessions and taking control?
• Should we remove all the session-related headers added by php-session-ext, considering also that header_remove() will delete all the headers with a given name, no matter their origin?

kind regards

[pine3ree]

If you (@weierophinney, @xtreamwayz, ...) reckon this to be a very unprobable edge case, I believe I can close the topic.

[weierophinney]

I think if you have multiple third-party libraries that are each managing session functionality, you likely need to do a bit of work in your application to integrate them to prevent collisions, multiple starts, etc. Generally speaking, you should have one middleware that checks for a session cookie and initializes the session, and then sends the Set-Cookie header at the end. If third-party is doing this, you need to provide a substitution so that your application can be in control of that process.