Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Community News:
Videos of PHP Srbija 2017 have been released
Aug 10, 2017 @ 10:58:37

As Freek Van der Herten mentions on his site, the videos from this year's PHP Srbija conference (2017) have been released in a YouTube playlist.

Presentations for this year's event included:

You can check out the full list of sessions and videos in this YouTube playlist.

tagged: video release conference phpsrbija17 session

Link: https://www.youtube.com/playlist?list=PLfGr5rAHwhIJtdueIX5-9aEE7K94TNTqC

Community News:
PHP UK 2017 Videos Published
Apr 18, 2017 @ 09:12:59

As Freek Van der Herten has mentioned in this post on his site the videos for all of the sessions at this year's PHP UK Conference have been released over on YouTube.

Sessions at this year's event included:

...and many more. Be sure to check out the full playlist with 34 videos for lots of great speakers covering lots of great topics.

tagged: phpuk17 conference video recording session release youtube

Link: https://www.youtube.com/playlist?list=PL_aPVo2HeGF-_djRi_UVWWLdkVpYQFnFm

Michelangelo van Dam:
Sessions in PHP 7.1 and Redis
Dec 19, 2016 @ 12:09:17

Michelangelo van Dam has a new post to his site looking at using Redis for PHP sessions storage and changes related to the use of PHP 7.1.

In case you have missed it, PHP 7.1.0 has been released recently. Now you can’t wait to upgrade your servers to the latest and greatest PHP version ever. But hold that thought a second…

With PHP 7 lots of things have changed underneath the hood. But these changed features can also put unexpected challenges on your path. [...] One of these challenges that we faced was getting PHP 7.1 to play nice storing sessions in our Redis storage. In order to store sessions in Redis, we needed to install the Redis PHP extension that not only provides PHP functions for Redis, but also installs the PHP session handler for Redis.

When he installed the extension, the latest version (redis-3.1.0), he was given an error message about a failure to read the session data. He shares a bit of code he used to try to debug and diagnose the problem (and a Docker environment) that still resulted in the error. Ultimately they narrowed it down and discovered that it was the Redis extensions causing the problems. Downgrading it from 3.1.0 to 3.0.0 solved the issue right away.

tagged: session redis php71 extension tutorial troubleshoot error connection

Link: http://www.dragonbe.com/2016/12/sessions-in-php-71-and-redis.html

Anna Filina:
Re: When it comes to submitting talks, how many is too many?
Sep 14, 2016 @ 11:12:35

For those out there that are speakers (or are wanting to try their hand at speaking) at a technology conference, Anna Filina has shared her own thoughts about how many talks to submit to a single conference...and what might be too many.

I read this interesting post by Cal Evans about submitting conference proposals. He makes some very valid points, but I’d like to add my own experience as an organizer, so that when you submit, you have multiple perspectives.

She responds to Cal's comments about filtering talks based on topics the conference has mentioned, submitting a max of four talks and submitting the best idea first. Anna also shares some of her own recommendations as an organizer from the Confoo conference(s).

I know how hard it is to go through so many talks. At ConFoo, we receive close to 1000 proposals. [...] I don’t mean to tell other conferences what to do. However, speakers should always bear in mind that conferences operate differently. Perhaps organizers can create a comprehensive guideline specific to their event.
tagged: submit talk session conference toomany opinion organizer confoo

Link: http://afilina.com/re-how-many-is-too-many/

Laravel News:
Controller Construct Session Changes in Laravel 5.3
Aug 30, 2016 @ 10:45:13

On the Laravel News site there's a post detailing some of the updates made to session and controller handling in v5.3 of the framework. It mostly revolves around how the middleware handling changed on each request from v5.2.

Back in laravel 5.2, a developer was able to interact with the session directly in a controller constructor. However, this has changed in laravel 5.3.

The difference between how the 5.3 & 5.2 handle an incoming request is that in 5.2 the request goes through 3 pipelines: global, route and controller [...] In 5.3 the request goes through only 2 Pipelines: global and route/controller (in one pipeline).

The post includes a quote from Taylor Otwell (creator and lead developer of the framework) about why this change was made. Then it shows an alternative to directly accessing this session information in your controllers: a Closure-based middleware in the constructor to execute your checks.

tagged: laravel controller session update access middleware change v53

Link: https://laravel-news.com/2016/08/controller-construct-session-changes-in-laravel-5-3/

Gonzalo Ayuso:
Sharing authentication between socket.io and a PHP frontend
May 16, 2016 @ 10:56:30

In a post to his site Gonzalo Ayuso shows you how to combine authentication between Socket.io and a PHP frontend running a simple Silex-based application.

Normally, when I work with websockets, my stack is a socket.io server and a Silex frontend. Protect a PHP frontend with one kind of authentication of another is pretty straightforward. But if we want to use websockets, we need to set up another server and if we protect our frontend we need to protect our websocket server too.

If our frontend is node too (express for example), sharing authentication is more easy but at this time we we want to use two different servers (a node server and a PHP server). I’ve written about it too but today we`ll see another solution.

He sets up a simple Silex application with three routes - the root (/), a login route and a "private" one requiring a user to be logged in. This last route makes the connection to the websocket server in the template. This connection sends the current session ID to the backend where it's verified with a simple Socket.io middleware. Sometimes the session ID cookie will be set as HttpOnly so he provides an alternative for that: a new endpoint just for getting the current session ID for the websocket request.

tagged: socketio websocket server frontend sharing authentication session silex tutorial

Link: https://gonzalo123.com/2016/05/16/sharing-authentication-between-socket-io-and-a-php-frontend/

Tideways.io:
PHP Session Garbage Collection: The unknown performance bottleneck
May 09, 2016 @ 12:49:22

On the Tideways.com blog there's a tutorial talking about the "unknown performance bottleneck" that can be caused by PHP's own session garbage collection. This garbage collection happens when sessions expire and they need to be removed from the current set/data source.

Here is one performance setting in your PHP configuration you probably haven't thought about much before: How often does PHP perform random garbage collection of outdated session data in your application? Did you know that because of the shared nothing architecture PHP randomly cleans old session data whenever session_start() is called? An operation that is not necessarily cheap.

It's his general advice to avoid PHP's random garbage collection (it happens one in every 1000 requests, randomly) and opt for a more consistent method using background scripts. He gives an example using the Laravel framework and it's modified session garbage collection happening every 50th request (making use of the Symfony Finder component). He points out the problem with its implementation and the negative impact it could have on large, highly used applications. They share some of their own statistics and how to change this default (modifying the lottery option and making a custom "cleanup" command).

tagged: session garbage collection performance bottleneck unknown modify laravel symfony

Link: https://tideways.io/profiler/blog/php-session-garbage-collection-the-unknown-performance-bottleneck

Paul Jones:
PSR-7 and Session Cookies
Apr 12, 2016 @ 13:27:06

In this post to his site Paul Jones makes some suggestions about how to handle session cookies (PHP's default session handling mechanism) and requests/responses using the PSR-7 structure.

One of the great things about PHP is its session handling capabilities. One call to session_start() and a huge amount of heavy lifting is done for you. It’s a great aid when writing page scripts.

However, as you start to need finer control over the HTTP response in your project, some of the automatic session behaviors begin to get in the way. In particular, when you are using PSR-7 to build your HTTP response, you realize that session_start() and session_regenerate_id() both automatically do the equivalent of calling setcookie() to write headers directly to the output. This means you cannot buffer those calls into the Response object for later sending.

How then can we use PHP’s session handling, when we want finer control over when and how cookies get sent?

He suggests that you do two things. First, disable PHP itself from automatically sending the cookie via some ini_set calls. The second is to do the session ID comparison manually and perform the related action (either allowing or sending a new ID on failure). He includes example code showing it in action and also mentions some of the shortcomings of the approach around cache and limiter headers.

tagged: psr7 session cookie request response header disable tutorial

Link: http://paul-m-jones.com/archives/6310

Aaron Saray:
Two Quick Tips for Securing PHP Sessions
Feb 15, 2016 @ 09:41:47

In a new post to his site Aaron Saray has shared two tips that can help you protect the information in your PHP sessions - two configuration options to enable that can enforce stricter standards and options enhancing their overall security.

Let’s talk a little bit about session fixation in PHP. Such a fun topic, right? Tons to get into here. But, let’s just touch the surface on two VERY SIMPLE things you can be doing now to make sure that your website is safe.

The two configuration options he mentions are ones that:

  • force the session identifier to use cookies (versus also allowing it from the URL)
  • enforce "strict mode" on the sessions

Each comes with a bit of description as to what the setting does and the recommended setting is to provide the most protection. One note, though: strict mode is only included in PHP 5.5.2 or greater.

tagged: session security tip strict mode cookies useonly phpini configuration setting

Link: http://aaronsaray.com/2016/two-quick-tips-for-securing-php-sessions

Laravel News:
How To: Optimizing SSL on Laravel Forge
Jan 14, 2016 @ 09:27:59

On the Laravel News site there's a post showing you how to optimize your SSL support on Forge, the Laravel-related tool that makes creating and configuring servers simpler. The post focuses on a recently added feature to Forge, support for Let's Encrypt certificates, and other SSL optimizations.

Laravel Forge was recently to allow one-click installations of Let’s Encrypt certificates. It is now easier than ever to have your own SSL!

Let’s take a few extra minutes to optimize your server and help it perform faster and be more secure. In this tutorial we will look at using SSL session caching, HTTP Strict Transport Security (HSTS), and Hypertext Transfer Protocol 2 (HTTP/2).

The example they give are more Force-centric but the SSL changes and optimizations themselves could be used on any server running Nginx. They talk about:

  • the SSL Log-Jam Fix
  • SSL Optimizations (optimized cypher suite, OCSP stapling)
  • HTTP Strict Transport Security (HSTS)
  • HTTP/2

The post ends with a screenshot of how to test the new configuration and how to restart the web service to put it all into effect. There's also a link to an SSL checker that can help you verify things are set up correctly.

tagged: ssl forge laravel tutorial session cache hsts http2 nginx configuration

Link: https://laravel-news.com/2016/01/optimizing-ssl-laravel-forge/