1

I need to push updates to a live website written in php. Because of the changes made, current client session variables will cause a cascade of errors.

I thought of pushing a function call to reset sessions, but I would have to push a new update with that call removed which means only clients who refreshed while the call was present would get a new session.

Is there a standard way to handle this? This is on a shared server so I would need a php or htaccess solution.

jdf
  • 73
  • 7
  • 1
    If you're using the default session handler then just delete everything in `session.save-path`. Going forward, you could store a version value in the session data and then either invalidate the session in code, or perform a migration on the session data to the new format to avoid invalidating them altogether. – Sammitch Aug 30 '22 at 21:15
  • @sammitch thanks for the suggestion, I am on php.net looking into it now. Any other resources? – jdf Aug 30 '22 at 21:28
  • To build on @Sammitch comment - in the same way you check if someone is logged in, you can also check a "version" value in the session data. Then whenever they login, you can set that session value - in something like `$_SESSION["version"]`. I'd suggest using a global variable in a config file that you can update whenever you push an update. – Rylee Aug 30 '22 at 22:16
  • You can also directly access the session files and delete them but this is really not great practice - have a look at [this question](https://stackoverflow.com/questions/3426844/access-active-sessions-in-php) – Rylee Aug 30 '22 at 22:17
  • I am using the example from php.net - session_save_path('/home/example.com/sessions'); ini_set('session.gc_probability', 1); I'm not sure if I will be able change these values on shared server, but after testing on localhost, I understand what to do. I have session_start() in numerous places so now that I have an idea of where to begin I can tell this will take some time to test and implement. I will have to revisit this question after this weekend and will provide an answer if one isn't provided. – jdf Aug 30 '22 at 22:55
  • Just changing the session name might also be an option. Then any clients still sending a session cookie with the old name, won't be recognized as currently having a valid session, so a new one will be created. (Although if you also have to deal with some EU cookie regulation stuff, and had to list each cookie by name, as is sometimes the case, this might still be a bit of an issue, especially if you had to do this more often.) – CBroe Aug 31 '22 at 06:21
  • Easy solution: get a maintenance period. Not so easy: new site understands old sessions. Not easy: create a copy of your site, with new code and use a load balancer between both version. No session or new session == new site. Old session == old site. When no one is connected to the old site, turn it off and prepare it for the next iteration. – Nic3500 Aug 31 '22 at 17:54
  • @Nic3500 The problem with a maintenance period is the site is either unavailable or only a static version is available. Static version is less than ideal, when the site is unavailable it causes issues with SEO. – jdf Sep 01 '22 at 16:09

0 Answers0