Closed
Description
- For example Session:remove calls
SessionStorageInterface->getBag()->remove(). This call is not valid because getBag returns a SessionBagInterface which does not have a remove() method. The remove method and some other methods are only defined for SessionAttributeBagInterface. There is a specialgetMetadataBagin session and storage to access specific methods on the metadatabag. But there is none for the AttributeBag. Design seems to have holes.
So you could create fatal errors through symfony by
$wrongAttributeBag = new FlashBag();
$wrongAttributeBag->setName('attributes');
$session->registerBag($wrongAttributeBag);
$session->replace(array());
- Also FlashBag and AttributeBag have a
setNamemethod which is not part of the interface. IMO it should be removed and the name should be part of the constructor instead. I don't see why the name is mutable and can make things out-of-synch with the Storage::registerBag functionality. - https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Session/Storage/MetadataBag.php#L76 is not safe to access because it could not be set. And getLastUsed can return null, or it must be initialized with 0 (just as it's done for created etc.)
- NativeSessionStorage::setSaveHandler can be called mid-session which has no effect. Either only allow it when session not started or no setter at all and constructor argument only.
SessionInterface::startreturn value makes no sense. It returnsboolbut also throws Exception when it does not work which conflicts with each other. Either return a bool and don't throw exception or don't have a return value at all because an exception already says whether it worked or not.