Session
Cleanup of the
session extension
For PHP 7.2, the code of session handling extension has been cleaned up and various inconsistencies have been corrected. The majority of changes should not have any impact on your code other than a more stable overall operation.
The functions session_unset(),
session_write_close(), session_commit(),
session_abort() and session_reset() now
return a boolean false in case of an error rather than
null. PHP now complains when superfluous parameters are
being passed to those functions that expect no parameters.
Previously, PHP would silently ignore any superfluous
parameters.
Prior to PHP 7.2, many session related functions could be called
without triggering an error regardless whether the requested
operation could work in the current session state. This is no longer
possible and the functions session_start(),
session_set_cookie_params(),
session_name(), session_module_name(),
session_set_save_handler(),
session_regenerate_id(),
session_cache_limiter(),
session_cache_expire(), session_unset(),
session_destroy(), session_write_close(),
session_commit() and session_reset() now
all return a boolean false in case the current state
does not support the desired operation.
Various options of the session extension can be configured in
php.ini and can also be changed at runtime via
ini_set(). If you attempt invalid modifications, or
when headers have already been sent, calling the following functions
will fail: session.name,
session.save_path,
session.cookie_lifetime,
session.cookie_path,
session.cookie_domain,
session.cookie_httponly,
session.cookie_secure,
session.use_cookies,
session.use_only_cookies,
session.use_strict_mode,
session.referer_check,
session.cache_limiter,
session.cache_expire, session.lazy_write,
session.save_handler,
session.serialize_handler,
session.gc_probability, session.gc_divior
and session.gc_maxlifetime. Older versions of PHP
accepted new values even though they would not have any effect.
Particularly CLI applications might be affected by this new corrected behavior in case they are dealing with sessions. A possible workaround would be to use output buffering – just like in web applications.
For security reasons, starting with PHP 7.2, the session
extension also no longer initializes $_SESSION for
invalid and useless session data.