LegacyPdoSessionHandler.php in Zircon Profile 8

<?php

/*
 * This file is part of the Symfony package.
 *
 * (c) Fabien Potencier <fabien@symfony.com>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */
namespace Symfony\Component\HttpFoundation\Session\Storage\Handler;

@trigger_error('The ' . __NAMESPACE__ . '\\LegacyPdoSessionHandler class is deprecated since version 2.6 and will be removed in 3.0. Use the Symfony\\Component\\HttpFoundation\\Session\\Storage\\Handler\\PdoSessionHandler class instead.', E_USER_DEPRECATED);

/**
 * Session handler using a PDO connection to read and write data.
 *
 * Session data is a binary string that can contain non-printable characters like the null byte.
 * For this reason this handler base64 encodes the data to be able to save it in a character column.
 *
 * This version of the PdoSessionHandler does NOT implement locking. So concurrent requests to the
 * same session can result in data loss due to race conditions.
 *
 * @author Fabien Potencier <fabien@symfony.com>
 * @author Michael Williams <michael.williams@funsational.com>
 * @author Tobias Schultze <http://tobion.de>
 *
 * @deprecated since version 2.6, to be removed in 3.0. Use
 *             {@link PdoSessionHandler} instead.
 */
class LegacyPdoSessionHandler implements \SessionHandlerInterface {

  /**
   * @var \PDO PDO instance
   */
  private $pdo;

  /**
   * @var string Table name
   */
  private $table;

  /**
   * @var string Column for session id
   */
  private $idCol;

  /**
   * @var string Column for session data
   */
  private $dataCol;

  /**
   * @var string Column for timestamp
   */
  private $timeCol;

  /**
   * Constructor.
   *
   * List of available options:
   *  * db_table: The name of the table [required]
   *  * db_id_col: The column where to store the session id [default: sess_id]
   *  * db_data_col: The column where to store the session data [default: sess_data]
   *  * db_time_col: The column where to store the timestamp [default: sess_time]
   *
   * @param \PDO  $pdo       A \PDO instance
   * @param array $dbOptions An associative array of DB options
   *
   * @throws \InvalidArgumentException When "db_table" option is not provided
   */
  public function __construct(\PDO $pdo, array $dbOptions = array()) {
    if (!array_key_exists('db_table', $dbOptions)) {
      throw new \InvalidArgumentException('You must provide the "db_table" option for a PdoSessionStorage.');
    }
    if (\PDO::ERRMODE_EXCEPTION !== $pdo
      ->getAttribute(\PDO::ATTR_ERRMODE)) {
      throw new \InvalidArgumentException(sprintf('"%s" requires PDO error mode attribute be set to throw Exceptions (i.e. $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION))', __CLASS__));
    }
    $this->pdo = $pdo;
    $dbOptions = array_merge(array(
      'db_id_col' => 'sess_id',
      'db_data_col' => 'sess_data',
      'db_time_col' => 'sess_time',
    ), $dbOptions);
    $this->table = $dbOptions['db_table'];
    $this->idCol = $dbOptions['db_id_col'];
    $this->dataCol = $dbOptions['db_data_col'];
    $this->timeCol = $dbOptions['db_time_col'];
  }

  /**
   * {@inheritdoc}
   */
  public function open($savePath, $sessionName) {
    return true;
  }

  /**
   * {@inheritdoc}
   */
  public function close() {
    return true;
  }

  /**
   * {@inheritdoc}
   */
  public function destroy($sessionId) {

    // delete the record associated with this id
    $sql = "DELETE FROM {$this->table} WHERE {$this->idCol} = :id";
    try {
      $stmt = $this->pdo
        ->prepare($sql);
      $stmt
        ->bindParam(':id', $sessionId, \PDO::PARAM_STR);
      $stmt
        ->execute();
    } catch (\PDOException $e) {
      throw new \RuntimeException(sprintf('PDOException was thrown when trying to delete a session: %s', $e
        ->getMessage()), 0, $e);
    }
    return true;
  }

  /**
   * {@inheritdoc}
   */
  public function gc($maxlifetime) {

    // delete the session records that have expired
    $sql = "DELETE FROM {$this->table} WHERE {$this->timeCol} < :time";
    try {
      $stmt = $this->pdo
        ->prepare($sql);
      $stmt
        ->bindValue(':time', time() - $maxlifetime, \PDO::PARAM_INT);
      $stmt
        ->execute();
    } catch (\PDOException $e) {
      throw new \RuntimeException(sprintf('PDOException was thrown when trying to delete expired sessions: %s', $e
        ->getMessage()), 0, $e);
    }
    return true;
  }

  /**
   * {@inheritdoc}
   */
  public function read($sessionId) {
    $sql = "SELECT {$this->dataCol} FROM {$this->table} WHERE {$this->idCol} = :id";
    try {
      $stmt = $this->pdo
        ->prepare($sql);
      $stmt
        ->bindParam(':id', $sessionId, \PDO::PARAM_STR);
      $stmt
        ->execute();

      // We use fetchAll instead of fetchColumn to make sure the DB cursor gets closed
      $sessionRows = $stmt
        ->fetchAll(\PDO::FETCH_NUM);
      if ($sessionRows) {
        return base64_decode($sessionRows[0][0]);
      }
      return '';
    } catch (\PDOException $e) {
      throw new \RuntimeException(sprintf('PDOException was thrown when trying to read the session data: %s', $e
        ->getMessage()), 0, $e);
    }
  }

  /**
   * {@inheritdoc}
   */
  public function write($sessionId, $data) {
    $encoded = base64_encode($data);
    try {

      // We use a single MERGE SQL query when supported by the database.
      $mergeSql = $this
        ->getMergeSql();
      if (null !== $mergeSql) {
        $mergeStmt = $this->pdo
          ->prepare($mergeSql);
        $mergeStmt
          ->bindParam(':id', $sessionId, \PDO::PARAM_STR);
        $mergeStmt
          ->bindParam(':data', $encoded, \PDO::PARAM_STR);
        $mergeStmt
          ->bindValue(':time', time(), \PDO::PARAM_INT);
        $mergeStmt
          ->execute();
        return true;
      }
      $updateStmt = $this->pdo
        ->prepare("UPDATE {$this->table} SET {$this->dataCol} = :data, {$this->timeCol} = :time WHERE {$this->idCol} = :id");
      $updateStmt
        ->bindParam(':id', $sessionId, \PDO::PARAM_STR);
      $updateStmt
        ->bindParam(':data', $encoded, \PDO::PARAM_STR);
      $updateStmt
        ->bindValue(':time', time(), \PDO::PARAM_INT);
      $updateStmt
        ->execute();

      // When MERGE is not supported, like in Postgres, we have to use this approach that can result in
      // duplicate key errors when the same session is written simultaneously. We can just catch such an
      // error and re-execute the update. This is similar to a serializable transaction with retry logic
      // on serialization failures but without the overhead and without possible false positives due to
      // longer gap locking.
      if (!$updateStmt
        ->rowCount()) {
        try {
          $insertStmt = $this->pdo
            ->prepare("INSERT INTO {$this->table} ({$this->idCol}, {$this->dataCol}, {$this->timeCol}) VALUES (:id, :data, :time)");
          $insertStmt
            ->bindParam(':id', $sessionId, \PDO::PARAM_STR);
          $insertStmt
            ->bindParam(':data', $encoded, \PDO::PARAM_STR);
          $insertStmt
            ->bindValue(':time', time(), \PDO::PARAM_INT);
          $insertStmt
            ->execute();
        } catch (\PDOException $e) {

          // Handle integrity violation SQLSTATE 23000 (or a subclass like 23505 in Postgres) for duplicate keys
          if (0 === strpos($e
            ->getCode(), '23')) {
            $updateStmt
              ->execute();
          }
          else {
            throw $e;
          }
        }
      }
    } catch (\PDOException $e) {
      throw new \RuntimeException(sprintf('PDOException was thrown when trying to write the session data: %s', $e
        ->getMessage()), 0, $e);
    }
    return true;
  }

  /**
   * Returns a merge/upsert (i.e. insert or update) SQL query when supported by the database.
   *
   * @return string|null The SQL string or null when not supported
   */
  private function getMergeSql() {
    $driver = $this->pdo
      ->getAttribute(\PDO::ATTR_DRIVER_NAME);
    switch ($driver) {
      case 'mysql':
        return "INSERT INTO {$this->table} ({$this->idCol}, {$this->dataCol}, {$this->timeCol}) VALUES (:id, :data, :time) " . "ON DUPLICATE KEY UPDATE {$this->dataCol} = VALUES({$this->dataCol}), {$this->timeCol} = VALUES({$this->timeCol})";
      case 'oci':

        // DUAL is Oracle specific dummy table
        return "MERGE INTO {$this->table} USING DUAL ON ({$this->idCol} = :id) " . "WHEN NOT MATCHED THEN INSERT ({$this->idCol}, {$this->dataCol}, {$this->timeCol}) VALUES (:id, :data, :time) " . "WHEN MATCHED THEN UPDATE SET {$this->dataCol} = :data, {$this->timeCol} = :time";
      case 'sqlsrv' === $driver && version_compare($this->pdo
        ->getAttribute(\PDO::ATTR_SERVER_VERSION), '10', '>='):

        // MERGE is only available since SQL Server 2008 and must be terminated by semicolon
        // It also requires HOLDLOCK according to http://weblogs.sqlteam.com/dang/archive/2009/01/31/UPSERT-Race-Condition-With-MERGE.aspx
        return "MERGE INTO {$this->table} WITH (HOLDLOCK) USING (SELECT 1 AS dummy) AS src ON ({$this->idCol} = :id) " . "WHEN NOT MATCHED THEN INSERT ({$this->idCol}, {$this->dataCol}, {$this->timeCol}) VALUES (:id, :data, :time) " . "WHEN MATCHED THEN UPDATE SET {$this->dataCol} = :data, {$this->timeCol} = :time;";
      case 'sqlite':
        return "INSERT OR REPLACE INTO {$this->table} ({$this->idCol}, {$this->dataCol}, {$this->timeCol}) VALUES (:id, :data, :time)";
    }
  }

  /**
   * Return a PDO instance.
   *
   * @return \PDO
   */
  protected function getConnection() {
    return $this->pdo;
  }

}