In the wiki - just a basic overview for each feature.

Some use cases will be enhanced by iterating through all session data within a store.

Should be able to iterate over the keys and values within a SessionStore - useful for finding matching keys, etc.

When dealing with session data, it would be useful to categorise the type of data being worked with so that it can be iterated over or unset all in one go.

A common practice is using dot notation to namespace session data.

$firstName = $session->get("user.name.first");
$lastName = $session->get("user.name.last");
$fullName = implode(" ", [$firstName, $lastName]);
// Now we're done with the data, for example, a log out:
$session->delete("user");

Session::get can return a SessionData which will toString to the data it represents, but this allows for accessing deeper variables.

Alternatively, there could be a Session::getString method introduced which forces the return type to string.

Allow transparent ids for use on applications where cookies are not allowed!

Currently the session file is not written to after a session key is unset, which is buggy behaviour.

Now WebEngine starts a session using the php_decode functionality throughout, session_start will never fail due to an invalid encoding, so I expect the looped session_start is not needed... however, when the session expires, there may be new functionality to handle.

Functionality in question is Session.php:50.

Provide it so that other objects can implement it to wrap their own mechanism for dealing with Sessions while retaining type-safe compatibility.

This is required for AuthWave.

$store = $session->getStore("some.long.namespace.storename", true);

The true in the example above means that if the session store that is being requested doesn't exist, it should be created. This works fine until an element of the namespace does already exist. The create-if-not-exists flag is not passed down to deeper namespaces.

Looks like the error exists here:

Session data can contain anything, not just strings. This typehint confuses IDEs:

https://www.php.net/manual/en/session.configuration.php

Dependabot needs to be tamed, as per PhpGt/WebEngine#568

This is a fundamental feature of Php.Gt/Session and must be part of the v1 release.

Rather than simply replacing $_SESSION with SessionHandler, which equally provides read/write access to all session data, a SessionStore object needs to be introduced.

This will allow a subset of the session to be passed amongst different classes of code.

For example, when a class requires access to the session, such as the Auth class of your application, it must be given access to the session object, but rather than passing the whole session object, pass a SessionStore object to it, which only allows access to a subset of the entire session.

Example:

$authSession = $session->getStore("auth");
$auth = new Auth($authSession);

class Auth {
	protected $session;

	public function __construct(SessionStore $session) {
		$this->session = $session;
	}

	public function checkAuth():bool {
		return $this->session->contains("username");
	}
}

// The call within checkAuth is synonymous to:
// $this->session->contains("auth.username");

A limitation of the HTTP spec is that cookies can only be set per domain, not including the port they're served from.

I've just hit a bug because I'm developing two concurrent applications on localhost, using two different ports. There are ways around this (local /etc/hosts entries, DNS, etc) but I don't want to have a situation where this might not work.

I want to be able to construct a new Session with an additional, optional parameter, which can be appended to the end of the session ID. WebEngine or other frameworks can then send in the non-standard port, which can be appended to the session id. Maybe keep this really simple, without obfuscation: $id = $id . ":$port".

In the improbable (but possible) event that a session is corrupted (think load balanced app after being upgraded to new release), the session may not start without issuing a warning. This is fine, because if a session can't start, we should just destroy it and start again, but we need to handle this edge case.

Local development is difficult with a "strict" same-site cookie policy. "Lax" seems to be perfect for balancing real-world security with a usable development environment.

This is not needed any more seeing as the Session object now hosts its own Store.

http://php.net/manual/en/class.sessionhandlerinterface.php

$session->kill() to kill the whole thing, for logouts.

Count how many keys each store has for use with the count method.

Follow-on issue is #11 but that is not required until v2.

Deprecated: Return type of Gt\Session\Handler::destroy($session_id) should either be compatible with SessionHandlerInterface::destroy(string $id): bool, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/g105b/Code/Insulplant/insulmap/vendor/phpgt/session/src/Handler.php on line 17

Deprecated: Return type of Gt\Session\Handler::gc($maxlifetime): bool should either be compatible with SessionHandlerInterface::gc(int $max_lifetime): int|false, or the #[\ReturnTypeWillChange] attribute should be used to temporarily suppress the notice in /home/g105b/Code/Insulplant/insulmap/vendor/phpgt/session/src/Handler.php on line 23

It may not be suitable for the developer to use a class that implements SessionStoreInterface (#62), so providing a SessionWrapper class that does implement that interface that can be constructed using an pass-by-reference array, then the developer can simply pass $_SESSION.

This enhances the functionality of #62

For improved type safety and consistency with other PHP.Gt repos, replace the get() function with getInt, getBool, etc.

Useful to create popup messages, etc.

On a SessionStore object, there is already a remove() function, but this function only allows for removing a child of the session store.

For instances where a SessionStore has been passed to a class for encapsulated session usage, it would be useful for that class to be able to remove the SessionStore itself. This could be done like this:

$encapsulatedSession = $session->get("example.auth");
$authentication = new Auth($encapsulatedSession);

// Inside Auth:

function logout() {
    $this->encapsulatedSession->remove();
}

Note that the above example calls remove() with no parameters, indicating that we want to remove the store itself (and all children).