Cleanup of the session extension

For PHP 7.2, the code of session handling extension has been cleaned up and various inconsistencies have been corrected. The majority of changes should not have any impact on your code other than a more stable overall operation.

The functions session_unset(), session_write_close(), session_commit(), session_abort() and session_reset() now return a boolean false in case of an error rather than null. PHP now complains when superfluous parameters are being passed to those functions that expect no parameters. Previously, PHP would silently ignore any superfluous parameters.

Prior to PHP 7.2, many session related functions could be called without triggering an error regardless whether the requested operation could work in the current session state. This is no longer possible and the functions session_start(), session_set_cookie_params(), session_name(), session_module_name(), session_set_save_handler(), session_regenerate_id(), session_cache_limiter(), session_cache_expire(), session_unset(), session_destroy(), session_write_close(), session_commit() and session_reset() now all return a boolean false in case the current state does not support the desired operation.

Various options of the session extension can be configured in php.ini and can also be changed at runtime via ini_set(). If you attempt invalid modifications, or when headers have already been sent, calling the following functions will fail:, session.save_path, session.cookie_lifetime, session.cookie_path, session.cookie_domain, session.cookie_httponly, session.cookie_secure, session.use_cookies, session.use_only_cookies, session.use_strict_mode, session.referer_check, session.cache_limiter, session.cache_expire, session.lazy_write, session.save_handler, session.serialize_handler, session.gc_probability, session.gc_divior and session.gc_maxlifetime. Older versions of PHP accepted new values even though they would not have any effect.

Particularly CLI applications might be affected by this new corrected behavior in case they are dealing with sessions. A possible workaround would be to use output buffering – just like in web applications.

For security reasons, starting with PHP 7.2, the session extension also no longer initializes $_SESSION for invalid and useless session data.