NEW Add database session handler implementation

GuySartorelli · GuySartorelli · commit 14cf7dcee27b · 2025-07-21T16:52:09.000+12:00
This is an easy option for multi-server hosting environments, though is
likely less performant than the other session handlers on offer.
diff --git a/_config/session.yml b/_config/session.yml
@@ -24,3 +24,16 @@ SilverStripe\Core\Injector\Injector:
       # is technically valid so we have to disable containers to avoid
       # weird behaviour with versioned, etc.
       disable-container: true
+
+SilverStripe\Dev\Command\DbBuild:
+  extensions:
+    DbBuildSessionExtension: 'SilverStripe\Control\SessionHandler\DbBuildSessionExtension'
+
+---
+Name: 'session-handlers-test-session'
+Only:
+  moduleexists: 'silverstripe/testsession'
+---
+SilverStripe\TestSession\TestSessionEnvironment:
+  extensions:
+    DbBuildSessionExtension: 'SilverStripe\Control\SessionHandler\DbBuildSessionExtension'
diff --git a/src/Control/SessionHandler/DatabaseSessionHandler.php b/src/Control/SessionHandler/DatabaseSessionHandler.php
@@ -0,0 +1,217 @@
+<?php
+
+namespace SilverStripe\Control\SessionHandler;
+
+use SensitiveParameter;
+use SilverStripe\Core\Config\Configurable;
+use SilverStripe\Core\Convert;
+use SilverStripe\ORM\Connect\Query;
+use SilverStripe\ORM\DataObject;
+use SilverStripe\ORM\DB;
+use SilverStripe\ORM\FieldType\DBDatetime;
+use SilverStripe\ORM\Queries\SQLDelete;
+use SilverStripe\ORM\Queries\SQLInsert;
+use SilverStripe\ORM\Queries\SQLSelect;
+use SilverStripe\ORM\Queries\SQLUpdate;
+
+/**
+ * Session save handler that stores session data in the database.
+ */
+class DatabaseSessionHandler extends AbstractSessionHandler
+{
+    use Configurable;
+
+    private static string $table_name = '_sessions';
+
+    public function open(string $path, string $name): bool
+    {
+        // No action is required to open the session.
+        return true;
+    }
+
+    public function close(): bool
+    {
+        // No action is required to close the session.
+        return true;
+    }
+
+    /**
+     * @inheritDoc
+     * Clears the cache entry that represents this session ID.
+     */
+    public function destroy(#[SensitiveParameter] string $id): bool
+    {
+        if (!$this->isDatabaseReady()) {
+            return false;
+        }
+
+        SQLDelete::create(
+            Convert::symbol2sql(static::config()->get('table_name')),
+            [Convert::symbol2sql('SessionID') => $id]
+        )->execute();
+        return true;
+    }
+
+    /**
+     * @inheritDoc
+     * Clears all session cache which have a last modified datetime older than the session max lifetime.
+     * Note that we use our own calculated session lifetime rather than the passed in lifetime which doesn't
+     * take Silverstripe CMS configuration values into account.
+     */
+    public function gc(int $max_lifetime): int|false
+    {
+        if (!$this->isDatabaseReady()) {
+            return false;
+        }
+
+        SQLDelete::create(
+            Convert::symbol2sql(static::config()->get('table_name')),
+            [Convert::symbol2sql('Expiry') . ' < ?' => DBDatetime::now()->getTimestamp()]
+        )->execute();
+        return DB::affected_rows();
+    }
+
+    /**
+     * @inheritDoc
+     * Returns data of a pre-existing session, or an empty string for a new session.
+     */
+    public function read(#[SensitiveParameter] string $id): string|false
+    {
+        if (!$this->isDatabaseReady()) {
+            return false;
+        }
+
+        /** @var Query $rows */
+        $rows = DB::withPrimary(fn() => $this->getSqlSelect($id)->execute());
+        if ($rows->numRecords() === 0) {
+            return '';
+        }
+        return $rows->record()['Data'];
+    }
+
+    /**
+     * @inheritDoc
+     * Writes session data to a cache entry.
+     */
+    public function write(#[SensitiveParameter] string $id, string $data): bool
+    {
+        if (!$this->isDatabaseReady()) {
+            return false;
+        }
+
+        if ($this->sessionExists($id, true)) {
+            $query = SQLUpdate::create(where: [Convert::symbol2sql('SessionID') => $id]);
+        } else {
+            $query = SQLInsert::create(assignments: [Convert::symbol2sql('SessionID') => $id]);
+        }
+        $query->addFrom(Convert::symbol2sql(static::config()->get('table_name')));
+        $query->addAssignments([
+            Convert::symbol2sql('Data') => $data,
+            Convert::symbol2sql('Expiry') => DBDatetime::now()->getTimestamp() + $this->getLifetime(),
+        ]);
+        $query->execute();
+        return true;
+    }
+
+    /**
+     * @inheritDoc
+     * A session ID is valid if an entry for that session ID already exists and has not expired.
+     */
+    public function validateId(#[SensitiveParameter] string $id): bool
+    {
+        if (!$this->isDatabaseReady()) {
+            return false;
+        }
+        return $this->sessionExists($id);
+    }
+
+    /**
+     * @inheritDoc
+     * Called instead of write if session.lazy_write is enabled and no data has changed for this session.
+     */
+    public function updateTimestamp(#[SensitiveParameter] string $id, string $data): bool
+    {
+        // The logic for updating the timestamp ends up being effectively identical to just
+        // writing the session - there's no optimisation to be made by using separate logic.
+        return $this->write($id, $data);
+    }
+
+    /**
+     * Add the database table. This is called by an extension when building the db.
+     * Note that we don't just use a DataObject because:
+     * 1. We don't want things like versioning, fluent, etc to ever be able to affect sessions
+     * 2. We don't want developers to be affecting db operations via hooks (interact with sessions with the Session class)
+     * 3. We don't want sessions to be used in any other ways that DataObjects are often
+     * 4. We only want to build the table if this is the configured save handler
+     */
+    public function requireTable()
+    {
+        $fields = [
+            'ID' => 'PrimaryKey',
+            'SessionID' => 'Varchar(64)',
+            'Expiry' => 'Int',
+            'Data' => 'Text',
+        ];
+        $indexes = [ // @TODO - check this is correct syntax
+            'SessionID' => [
+                'type' => 'unique' // @TODO can I make this the primary key??
+            ],
+            'Expiry' => true,
+        ];
+        DB::get_schema()->schemaUpdate(function () use ($fields, $indexes) {
+            DB::require_table(
+                static::config()->get('table_name'),
+                $fields,
+                $indexes,
+                true,
+                DataObject::config()->get('create_table_options')
+            );
+        });
+    }
+
+    /**
+     * Get an SQLSelect for selecting the data for the given session ID.
+     * If $allowExpired is false, expired sessions are explicitly excluded.
+     */
+    private function getSqlSelect(#[SensitiveParameter] string $id, bool $allowExpired = false): SQLSelect
+    {
+        $select = SQLSelect::create(
+            Convert::symbol2sql('Data'),
+            Convert::symbol2sql(static::config()->get('table_name')),
+            [Convert::symbol2sql('SessionID') => $id],
+        );
+        if (!$allowExpired) {
+            $select->addWhere([Convert::symbol2sql('Expiry') . ' >= ?' => DBDatetime::now()->getTimestamp()]);
+        }
+        return $select;
+    }
+
+    /**
+     * Check if a session with this ID exists.
+     * If $allowExpired is false, returns false for expired sessions.
+     */
+    private function sessionExists(#[SensitiveParameter] string $id, bool $allowExpired = false): bool
+    {
+        // Note this is the same logic used in DataQuery::exists()
+        $row = DB::withPrimary(function () use ($id, $allowExpired) {
+            $select = $this->getSqlSelect($id, $allowExpired);
+            $subQuerySql = $select->sql($params);
+            $selectExists = SQLSelect::create('1')->addWhere(['EXISTS (' . $subQuerySql . ')' => $params])->execute();
+            return $selectExists->record();
+        });
+        if ($row) {
+            $result = reset($row);
+        } else {
+            $result = false;
+        }
+        return $result === true || $result === 1 || $result === '1';
+    }
+
+    private function isDatabaseReady()
+    {
+        if (!DB::connection_attempted() || !DB::is_active()) {
+            return false;
+        }
+        return DB::get_schema()->hasTable(static::config()->get('table_name'));
+    }
+}
diff --git a/src/Control/SessionHandler/DbBuildSessionExtension.php b/src/Control/SessionHandler/DbBuildSessionExtension.php
@@ -0,0 +1,66 @@
+<?php
+
+namespace SilverStripe\Control\SessionHandler;
+
+use SilverStripe\Control\Director;
+use SilverStripe\Control\Session;
+use SilverStripe\Core\Extension;
+use SilverStripe\Core\Injector\Injector;
+use SilverStripe\PolyExecution\PolyOutput;
+
+/**
+ * Builds the table for DatabaseSessionHandler if that is the configured session save handler.
+ */
+class DbBuildSessionExtension extends Extension
+{
+    /**
+     * This extension hook is on TestSessionEnvironment, which is used by behat but not by phpunit.
+     * For whatever reason, behat doesn't build the db the normal way, so we can't rely on the below
+     * onAfterbuild being run in that scenario.
+     */
+    protected function onAfterStartTestSession()
+    {
+        $sessionHandler = $this->getSessionHandler();
+        if (!$sessionHandler) {
+            return;
+        }
+
+        $output = PolyOutput::create(
+            Director::is_cli() ? PolyOutput::FORMAT_ANSI : PolyOutput::FORMAT_HTML,
+            PolyOutput::VERBOSITY_QUIET
+        );
+        $output->startList();
+        $sessionHandler->requireTable();
+        $output->stopList();
+    }
+
+    /**
+     * This extension hook is on DbBuild, after building the database.
+     */
+    protected function onAfterBuild(PolyOutput $output): void
+    {
+        $sessionHandler = $this->getSessionHandler();
+        if (!$sessionHandler) {
+            return;
+        }
+
+        $output->writeln('<options=bold>Creating table for session data</>');
+        $output->startList();
+        $sessionHandler->requireTable();
+        $output->stopList();
+        $output->writeln(['<options=bold>session database build completed!</>', '']);
+    }
+
+    private function getSessionHandler(): ?DatabaseSessionHandler
+    {
+        $sessionHandlerServiceName = Session::config()->get('save_handler');
+        if ($sessionHandlerServiceName === null) {
+            return null;
+        }
+        $sessionHandler = Injector::inst()->get($sessionHandlerServiceName);
+        if (!is_a($sessionHandler, DatabaseSessionHandler::class)) {
+            return null;
+        }
+        return $sessionHandler;
+    }
+}
