[pmwiki-users] authuser

[Patrick R. Michaud]

On Tue, Jun 21, 2005 at 03:29:40PM -0700, H. Fox wrote:
> Sort of, except the session is not in session (as Cheech and Chong
> would say) on subsequent page loads after the the user is
> authenticated.  However
> 
> @session_start();
> if (@$_SESSION['authid']) $Author=$_SESSION['authid'];
> 
> has the effect I was going for.  Does the session_start() line hurt 
> anything?

Short answer:  No, the session_start() line shouldn't hurt in general.

Longer answer:  
PHP's session handling functions are really convenient and certainly
an improvement over what most would implement on their own, but
sessions do have their quirks.  One quirk of sessions is that
with PHP sessions active a user cannot have two or more browser
windows accessing a site simultaneously -- the session_start()
function acts as a semaphore because it locks the session file.

In general this isn't an issue, but for some people (like me) who
will open 10-20 PmWiki pages in rapid succession, it can really 
slow things down because each page has to be handled one-at-a-time.

The PHP recommended solution is to wrap operations on session 
variables in session_start()...session_write_close() calls, but 
that only works if it's done everywhere it's used in a script.

PmWiki uses session variables in the authentication functions,
and it tries to close off the session early when it can detect
that it can safely do so.  However, only the first call to
session_open() can really know that it's the first -- all the
others have to assume that a session is currently active.

Or something like that.

Anyway, at this point it's worth re-thinking the order-of-operations
needed for setting and maintaining the several variables involved
in identifying and authorizing authors.  For reference:

    $AuthId = verified author identity  (stored in $_SESSION['authid'])
    $Author = author's name             (stored in $_COOKIE['author'])

Pm