Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

SitePoint PHP Blog:
How to Fix Magento Login Issues with Cookies and Sessions
May 21, 2018 @ 11:30:01

On the SitePoint PHP blog there's a new tutorial posted showing how to fix Magento login issue with cookies and sessions. This issue can cause a redirect loop but can be fixed.

In this article are looking at how Magento cookies can create issues with the login functionality of both the customer-facing front-end and admin back-end, the reason it occurs and how it should be resolved.

This is also known as the looping issue, as the screen redirects itself to the same screen, even though the username and password is correct.

The post starts with some basic definitions of "cookie" and "session" and gets into more detail on how Magento stores sessions and the places it can store them. The tutorial then covers each of the cookies used and three reasons the login issues might be happening:

  • Cookie domain does not match server domain
  • Multiple subdomains used and Magento’s cookie configuration is incorrect
  • Double front-end cookies causing intermittent login issues

For each several solutions are included with any code or SQL changes that need to happen to correct it.

tagged: magento tutorial fix login issue cookie session

Link: https://www.sitepoint.com/fix-magento-login-issues-cookies-sessions/

Matthias Noback:
Context passing
Apr 24, 2018 @ 10:20:26

In a new post to his site Matthias Noback shares some of his recent experience working with a multi-tenant application and the current "contexts" that exist during the user's session. In the most he makes some suggestions about how to generate this context on each request without having to resort to a "data clumping" approach.

In the beginning we start out with a framework that has some authentication functionality built-in. We can get the "current user" from the session, or from some other session-based object. We'll also need the "current company" (or the "current organization") of which the current user is a member.

In the web controller, we take this information out of the session (which we can possibly reach through the "request" object passed to the controller action as an argument). Then we start doing the work; making queries, making changes, sending mails, etc. All on behalf of the current user and the current organization. [...] Soon this starts to feel like a code smell known as a Data Clump: the same data hanging around together.

He offers a few different steps to follow to make sure you're correctly implementing this functionality and not violating the SRP (Single Responsibility Principle):

  • Injecting the session
  • The Context class
  • Passing contextual values on a need-to-know basis
  • Fetching more data when needed

For each item on the list there's a paragraph or two explaining the changes and functionality with code examples included where necessary for illustration.

tagged: context data request tutorial inject session

Link: https://matthiasnoback.nl/2018/04/context-passing/

Community News:
Videos of PHP Srbija 2017 have been released
Aug 10, 2017 @ 10:58:37

As Freek Van der Herten mentions on his site, the videos from this year's PHP Srbija conference (2017) have been released in a YouTube playlist.

Presentations for this year's event included:

You can check out the full list of sessions and videos in this YouTube playlist.

tagged: video release conference phpsrbija17 session

Link: https://www.youtube.com/playlist?list=PLfGr5rAHwhIJtdueIX5-9aEE7K94TNTqC

Community News:
PHP UK 2017 Videos Published
Apr 18, 2017 @ 09:12:59

As Freek Van der Herten has mentioned in this post on his site the videos for all of the sessions at this year's PHP UK Conference have been released over on YouTube.

Sessions at this year's event included:

...and many more. Be sure to check out the full playlist with 34 videos for lots of great speakers covering lots of great topics.

tagged: phpuk17 conference video recording session release youtube

Link: https://www.youtube.com/playlist?list=PL_aPVo2HeGF-_djRi_UVWWLdkVpYQFnFm

Michelangelo van Dam:
Sessions in PHP 7.1 and Redis
Dec 19, 2016 @ 12:09:17

Michelangelo van Dam has a new post to his site looking at using Redis for PHP sessions storage and changes related to the use of PHP 7.1.

In case you have missed it, PHP 7.1.0 has been released recently. Now you can’t wait to upgrade your servers to the latest and greatest PHP version ever. But hold that thought a second…

With PHP 7 lots of things have changed underneath the hood. But these changed features can also put unexpected challenges on your path. [...] One of these challenges that we faced was getting PHP 7.1 to play nice storing sessions in our Redis storage. In order to store sessions in Redis, we needed to install the Redis PHP extension that not only provides PHP functions for Redis, but also installs the PHP session handler for Redis.

When he installed the extension, the latest version (redis-3.1.0), he was given an error message about a failure to read the session data. He shares a bit of code he used to try to debug and diagnose the problem (and a Docker environment) that still resulted in the error. Ultimately they narrowed it down and discovered that it was the Redis extensions causing the problems. Downgrading it from 3.1.0 to 3.0.0 solved the issue right away.

tagged: session redis php71 extension tutorial troubleshoot error connection

Link: http://www.dragonbe.com/2016/12/sessions-in-php-71-and-redis.html

Anna Filina:
Re: When it comes to submitting talks, how many is too many?
Sep 14, 2016 @ 11:12:35

For those out there that are speakers (or are wanting to try their hand at speaking) at a technology conference, Anna Filina has shared her own thoughts about how many talks to submit to a single conference...and what might be too many.

I read this interesting post by Cal Evans about submitting conference proposals. He makes some very valid points, but I’d like to add my own experience as an organizer, so that when you submit, you have multiple perspectives.

She responds to Cal's comments about filtering talks based on topics the conference has mentioned, submitting a max of four talks and submitting the best idea first. Anna also shares some of her own recommendations as an organizer from the Confoo conference(s).

I know how hard it is to go through so many talks. At ConFoo, we receive close to 1000 proposals. [...] I don’t mean to tell other conferences what to do. However, speakers should always bear in mind that conferences operate differently. Perhaps organizers can create a comprehensive guideline specific to their event.
tagged: submit talk session conference toomany opinion organizer confoo

Link: http://afilina.com/re-how-many-is-too-many/

Laravel News:
Controller Construct Session Changes in Laravel 5.3
Aug 30, 2016 @ 10:45:13

On the Laravel News site there's a post detailing some of the updates made to session and controller handling in v5.3 of the framework. It mostly revolves around how the middleware handling changed on each request from v5.2.

Back in laravel 5.2, a developer was able to interact with the session directly in a controller constructor. However, this has changed in laravel 5.3.

The difference between how the 5.3 & 5.2 handle an incoming request is that in 5.2 the request goes through 3 pipelines: global, route and controller [...] In 5.3 the request goes through only 2 Pipelines: global and route/controller (in one pipeline).

The post includes a quote from Taylor Otwell (creator and lead developer of the framework) about why this change was made. Then it shows an alternative to directly accessing this session information in your controllers: a Closure-based middleware in the constructor to execute your checks.

tagged: laravel controller session update access middleware change v53

Link: https://laravel-news.com/2016/08/controller-construct-session-changes-in-laravel-5-3/

Gonzalo Ayuso:
Sharing authentication between socket.io and a PHP frontend
May 16, 2016 @ 10:56:30

In a post to his site Gonzalo Ayuso shows you how to combine authentication between Socket.io and a PHP frontend running a simple Silex-based application.

Normally, when I work with websockets, my stack is a socket.io server and a Silex frontend. Protect a PHP frontend with one kind of authentication of another is pretty straightforward. But if we want to use websockets, we need to set up another server and if we protect our frontend we need to protect our websocket server too.

If our frontend is node too (express for example), sharing authentication is more easy but at this time we we want to use two different servers (a node server and a PHP server). I’ve written about it too but today we`ll see another solution.

He sets up a simple Silex application with three routes - the root (/), a login route and a "private" one requiring a user to be logged in. This last route makes the connection to the websocket server in the template. This connection sends the current session ID to the backend where it's verified with a simple Socket.io middleware. Sometimes the session ID cookie will be set as HttpOnly so he provides an alternative for that: a new endpoint just for getting the current session ID for the websocket request.

tagged: socketio websocket server frontend sharing authentication session silex tutorial

Link: https://gonzalo123.com/2016/05/16/sharing-authentication-between-socket-io-and-a-php-frontend/

PHP Session Garbage Collection: The unknown performance bottleneck
May 09, 2016 @ 12:49:22

On the Tideways.com blog there's a tutorial talking about the "unknown performance bottleneck" that can be caused by PHP's own session garbage collection. This garbage collection happens when sessions expire and they need to be removed from the current set/data source.

Here is one performance setting in your PHP configuration you probably haven't thought about much before: How often does PHP perform random garbage collection of outdated session data in your application? Did you know that because of the shared nothing architecture PHP randomly cleans old session data whenever session_start() is called? An operation that is not necessarily cheap.

It's his general advice to avoid PHP's random garbage collection (it happens one in every 1000 requests, randomly) and opt for a more consistent method using background scripts. He gives an example using the Laravel framework and it's modified session garbage collection happening every 50th request (making use of the Symfony Finder component). He points out the problem with its implementation and the negative impact it could have on large, highly used applications. They share some of their own statistics and how to change this default (modifying the lottery option and making a custom "cleanup" command).

tagged: session garbage collection performance bottleneck unknown modify laravel symfony

Link: https://tideways.io/profiler/blog/php-session-garbage-collection-the-unknown-performance-bottleneck

Paul Jones:
PSR-7 and Session Cookies
Apr 12, 2016 @ 13:27:06

In this post to his site Paul Jones makes some suggestions about how to handle session cookies (PHP's default session handling mechanism) and requests/responses using the PSR-7 structure.

One of the great things about PHP is its session handling capabilities. One call to session_start() and a huge amount of heavy lifting is done for you. It’s a great aid when writing page scripts.

However, as you start to need finer control over the HTTP response in your project, some of the automatic session behaviors begin to get in the way. In particular, when you are using PSR-7 to build your HTTP response, you realize that session_start() and session_regenerate_id() both automatically do the equivalent of calling setcookie() to write headers directly to the output. This means you cannot buffer those calls into the Response object for later sending.

How then can we use PHP’s session handling, when we want finer control over when and how cookies get sent?

He suggests that you do two things. First, disable PHP itself from automatically sending the cookie via some ini_set calls. The second is to do the session ID comparison manually and perform the related action (either allowing or sending a new ID on failure). He includes example code showing it in action and also mentions some of the shortcomings of the approach around cache and limiter headers.

tagged: psr7 session cookie request response header disable tutorial

Link: http://paul-m-jones.com/archives/6310