Am 26.05.2013 17:59, schrieb Thomas Bruederli: > Second, there are reasons that Roundcube comes with a custom session > handler and those are still valid. We didn't do this just for fun, > believe me!
i did not say this, but they are not relevant in all setups > The main reason are concurrent http request which alter session data. > Image the following scenario: > > A) [r]----------- big file being uploaded ------------[w] > B) [r]----- fast upload ----[w] > > In PHP, session data is read when the process starts and written when > the process ends. With the scenario from above, the session changes of > request B) would be lost when A) finishes. Until now I don't know of > any solution with default PHP session handlers that would be able to > handle such a case properly and that is why session-files are locked well, you could came now again with performance but i am developing long enough wep-applications with real load to not see why RC is special > Another more performance related reason > for you custom handler is the check if session data actually changed > before issuing a (useless) update query without the custom handler there would be no db query at all > Sure, we could store file upload information somewhere else than in > session but the underlying problem of concurrent requests overlapping > each others still persists and can happen in other cases, too if it comes to integrity it is a *bad idea* write *lockless* in sessiondata which does not happen in the default handler > @Harald, could you run Roundcube on a PHP5.4 without > Suhosin to rule that out first? it is the combination of Suhosin and PHP 5.4 but since my main-job is php-developer and all applications i developed and maintain except RC are working in the test-setups and on all of the developer-machines i have zero understanding for *one* app which does not and there are much more critical things like a webmail client which is nice-to-have but not more if it comes to business users > ** give us a option to NOT touch any session setting ** > > P.S. we can but for the just explained reasons your Roundcube users > will complain about lost attachments and other weird behavior why does this need a *custom* session handler? sorry - no, zero understanding
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
