Yii2: $_SESSION can be null when error log is triggered

Created on 7 Aug 2017  路  9Comments  路  Source: yiisoft/yii2

What steps will reproduce the problem?

Configure the log component to log 404 errors with $_SESSION variable doing something like this:

  'log' => [
    'targets' => [
      [
        'class' => 'yii\log\FileTarget',
        'logVars' => ['_SESSION'],
        'levels' => ['error', 'warning'],
        'categories' => ['yii\web\HttpException:404'],
        'logFile' => '@runtime/logs/not-found.log',
      ],
    ],
  ],

Make sure that in your actionError and beforeAction (or something else that will be called before
404 error log) you have nothing that uses session, like Yii::$app->user->id or Yii::$app->session

After that you can try to access a route that does not exists to get a 404 error

What is the expected result?

A file named not-found.log containing an 404 error log with session information

What do you get instead?

A file named not-found.log containing an 404 error log, but without session information

Additional info

| Q | A
| ---------------- | ---
| Yii version | 2.0.11.2
| PHP version | 7.1.5
| Operating system | OSX El Captain

My conclusions

I started the debug and I descovered that the reason is that the $_SESSION is null until we call any function that uses session, because in the Session::get() we have $this->open();. So if we don't use functions that uses session in somewhere before the error log, when the code reachs the function Target::getContextMessage() the variable $_SESSION will stil be null and not appear into log message.

If you agree that I did everything right and this is a real bug I can open a PR with just one line to use the Yii::$app->session->open() in Logger::init()

docs
Source
picture lebreRafael

Most helpful comment

If session wasn't started then why should the log include any information about it?

picture samdark on 8 Aug 2017
👍2

All 9 comments

If session wasn't started then why should the log include any information about it?

samdark picture samdark on 8 Aug 2017
👍2

That's a good question.
Let's think about the following two cases:

  1. At the docs we can se a Info block with the following words and this can lead people to don't use Yii::$app->session->open() anywhere (that's my case)

When you access session data through the session component, a session will be automatically opened if it has not been done so before.

  1. If I need to use session inside one particular action where is the right place to put Yii::$app->session->open()? If some person put this inside that action that needs session the problem with the 404 log will occurs.

I can see that in this two cases the code are not right and because of this the session don't appears in log, but maybe we can do something to avoid people losing some time trying to debug this. Now I'm not sure if it's the case to change the code but maybe we can change the log docs and say that we need to open the session to use _SESSION at logVars. What do you think?

lebreRafael picture lebreRafael on 8 Aug 2017
  1. If you're calling Yii::$app->session->get() then session is started automatically. That's what stated in the docs and that's how it works.
  2. You don't have to. If you're using it, it's opened. If you're not using it, it's not opened. Why do you need session data for the page that doesn't use session?

Not logging session if it isn't used sounds correct to me...

samdark picture samdark on 8 Aug 2017

I'm using session but the error occurs before the code reach session usage, so the session isn't opened yet

lebreRafael picture lebreRafael on 8 Aug 2017

Means the error is not connected to session data in any way and having it won't help you debugging the error, right?

samdark picture samdark on 8 Aug 2017
👍1

No, at least in my case session data will help. If I have session data I can see the user identity and in some cases contact that user to ask some question.

This is the most easy case to understand but if you need I can tell you others cases that session data helps even before being used in current request.

lebreRafael picture lebreRafael on 8 Aug 2017

I see. It makes sense but also starting session all the time even when it's not needed is likely to cause concurrency issues. Especially when using default session storage (files).

samdark picture samdark on 8 Aug 2017

So It seems that the best thing we can do is improve docs. We can put a info block after logVars instruction to say that you need to manually open session at errorAction if you need _SESSION var to always appears in log.

lebreRafael picture lebreRafael on 8 Aug 2017

Yes, seems so.

samdark picture samdark on 8 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dryu picture dryu  路  3Comments
jpodpro picture jpodpro  路  3Comments
skcn022 picture skcn022  路  3Comments
cyberinferno picture cyberinferno  路  3Comments
indicalabs picture indicalabs  路  3Comments