PHP Session Changes in Sugar 7.7

Matthew Marum —  January 11, 2016 — 4 Comments

Below is some details from Andreas Sandberg, Director of Engineering, at SugarCRM.  Andreas is on his second tour of duty at SugarCRM.  He first joined SugarCRM back in 2007 as an Engineering manager.  He was also the Head of Engineering at Stitch prior to their acquisition by SugarCRM.

Below he shares some information about some changes that have gone into Sugar 7.7 that change how PHP sessions are stored and the underlying implementation.  Sugar Developers need to be aware of these changes so that their interactions with $_SESSION variable do not yield any unpredicted results.

What has changed with $_SESSION?

We have refactored PHP Session storage so that it is more configurable and allow more control over PHP session handling.  We have introduced a new SessionStorage class at src/Session/SessionStorage.php which extends from the TrackableArray class at src/Util/Arrays/TrackableArray/TrackableArray.php. This means that the $_SESSION variable is now an object instance of a TrackableArray which implements the ArrayAccess interface. This means that most code that treated $_SESSION like an array will continue to work as before.

However, there are three changes that Sugar Developers need to be aware of when working with the PHP session objects.  Each change is outlined below. Two of them are API level changes and the last is really just an adherence to best practices but may yield unexpected results if ignored.

Session Array Functions

In Sugar 7.7, certain array functions will now throw fatal errors when used on the $_SESSION variable.  PHP’s native array functions are not safe to use against ArrayAccess objects.  To proactively catch these issues, we have added a health check script to Sugar 7.7 upgrader.  This will warn about use of standard PHP array functions against the $_SESSION variable.

Screen Shot 2016-01-08 at 12.15.05 PM

$_SESSION variable health check

We have modified all areas in the core Sugar 7.7 codebase where this would be problem and have introduced new array utility functions that must be used instead of the standard PHP array functions.

These functions can be found in: src/Util/Arrays/ArrayFunctions/ArrayFunctions.php

These Sugar Functions are safe to use with native PHP Arrays and PHP ArrayAccess implementors such as Sugar’s Session object.

Sugar Function
PHP Equivalent
is_array_access
is_array
in_array_access
in_array
array_access_keys
array_keys
array_access_merge
array_merge

 

(Pre|post)(Increment|Decrement) Operators

With the new implementation, pre and post increment or decrement operators will not work as expected and therefore should be avoided.

For example instead of doing something like:

BAD 

$_SESSION['userStats']['pages']++;

Sugar Developers should instead use:

GOOD

$_SESSION['userStats']['pages'] += 1;

 

Assigning unset session references to a variable

There are some improper programming practices that can cause problems. Specifically, when trying to access a session value by key that does not exist.  When that happens, an unexpected value will be assigned.

For example:

BAD

//No session value for key authenticateduser_language exists in this example
$GLOBALS['current_language'] = $SESSION['authenticateduser_language'];

In this example our friend the TrackableArray will be assigned to the GLOBAL array instead of a string.

To ensure this never happens always proactively guard against possible null values:

GOOD

$GLOBALS['current_language'] = !empty($_SESSION['authenticated_user_language']) ? $_SESSION['authenticated_user_language'] : $GLOBALS['sugar_config']['default_language'];

 

Returning a session value that is an array

You can prevent unexpected behavior when you expect a session value to be an array by using array type casting.  This will ensure that an array is always returned.

BAD

return $_SESSION['reports_getACLAllowedModules'];

GOOD

return (array) $_SESSION['reports_getACLAllowedModules'];

 

Matthew Marum

Posts

Matt is the Director of Developer Advocacy for SugarCRM. Previously he was an Engineer on Sugar 7 and a Solutions Architect for the OEM program. He is also an avid trail runner, Boston Marathon qualifier and a karaoke aficionado.

4 responses to PHP Session Changes in Sugar 7.7

  1. 

    Why you don’t use functions or methods like as array_get($_SESSION, ‘key’, ‘default’) or Session::get(‘key’, ‘default’) and config(‘key.subkey’, ‘default’)?

  2. 

    Which PHP Version will be supported with 7.7

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s