Sara Golemon


PHP RFC: Fix handling of custom session handler return values


The logic in ext/session/mod_user.c is just plain wrong.


  • “[For all callback functions] Return value is TRUE for success, FALSE for failure.”

Yet in ext/session/mod_user.c:

 PS_FUNC(user) {
  /* blah blah */
  zval *retval = ps_call_handler(PSF(func), argc, argc);
  if (retval) {
     return Z_LVAL_P(retval);
  return FAILURE;

Remembering that SUCCESS == 0, and FAILURE == -1

So what does that mean for return values?

  • return false ⇒ return (int)false ⇒ return 0 ⇒ return SUCCESS
  • return true ⇒ return (int)true) ⇒ return 1 ⇒ return NeitherSUCCESSnorFAILURE


Change the FINISH macro in session.c to map true to SUCCESS, false to FAILURE, warn (and fail) for integer -1, and warn (but succeed) for anything else.

Backward Incompatible Changes

  • Anyone currently returning -1 for failure (because that's what ends up working as expected) now gets a warning.
  • Anyone returning false for failure now actually goes down the failure path (and this might be unexpected due to how long this has been wrong).

Proposed PHP Version(s)

Either 5.next (5.7?) or phpng due to the age of this bug.



An option needs 50%+1 votes to win

Fix custom session save handler using the patch as written (100% approved)
User Vote
aharvey Yes
bwoebi Yes
kassner Yes
levim Yes
mike Yes
oaass Yes
pollita Yes
stas Yes
treffynnon Yes
tyrael Yes
Which version? (100% approved)
User Vote
aharvey 6.0 or later
auroraeosrose 5.7 or later
bwoebi 5.7 or later
fmk 5.7 or later
kassner 5.7 or later
levim 5.7 or later
mike 5.7 or later
oaass 6.0 or later
pollita 5.7 or later
stas 5.7 or later
treffynnon 5.7 or later
tyrael 6.0 or later