it seems rather important to set forth some rules regarding the usage of sessions, which should be adhered to by all extensions (plugins, addons and templates), because the sessions are usually shared between the core and all involved extensions. The only rule that we currently have is documented in the developers manual in the Wiki:
However, this is not sufficient, because there are more things that should be avoided:never destroy a session; it might still be used by others
- using unprefixed keys of the $_SESSION array (what could lead to collisions between otherwise unrelated functionality)
- changing or even deleting session variables which one doesn't own
- calling session_reset() (available since PHP 5.6)
- changing of session settings, such as session.save_path, session.cache_expire etc.
- starting a session even when not required for the current request
- storing lots of data in the session
- starting a new session with another ID and/or name (for rare exceptions see below)
- starting the session if not already started (if (session_id == '') start_session;)
- storing and retrieving of properly "namespaced" keys which belong to the extension
- retrieving values which belong to other extensions (if absolutely necessary)
Note that we have Use named Sessions on the roadmap, what does not directly affect the above rules, but is nonetheless related to this topic.
What do you think? Can we agree on some rules?
Christoph