Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The new session subsystem is largely undocumented. In some places (like core.api.php) documentation is wrong.
Proposed resolution
Add a session section to the API documentation. Especially document the (small) differences to Symfony sessions and how to use sessions from within a controller.
Remaining tasks
User interface changes
API changes
Follow-up to #2371629: [meta] Finalize Session and User Authentication API
Comment | File | Size | Author |
---|---|---|---|
#31 | interdiff.2488116.25-31.txt | 1.36 KB | joachim |
#31 | 2488116-31.drupal.Document-the-session-subsystem.patch | 3.63 KB | joachim |
#25 | document_the_session-2488116-25.patch | 3.7 KB | priya.chat |
#20 | document_the_session-2488116-20.patch | 3.7 KB | cpj |
#19 | document_the_session-2488116-19.patch | 3.7 KB | cpj |
Comments
Comment #1
znerol CreditAttribution: znerol commentedA rough first version. Sample code is untested.
Comment #2
larowlanComment #3
jhodgdonThanks for the patch! I went through and did a review, and it mostly looks pretty good. A few formatting, housekeeping, and typographical things to address:
method in Drupal, which
requests -> request's, or maybe it should be request object's
Probably it would be good to give a class/interface here for the request too though, or tell how to get hold of the request object?
Also do not use <code> tags in API docs.
.
Remove code tag
We do not want any more api.php files added to the core/modules/system directory. We're moving them in another issue. Please put this somewhere else -- somewhere in core/lib/Drupal that has related classes.
Actually though, since this is just a single defgroup doc block, just put it into the existing core.api.php file rather than creating a whole new file. We only want whole new files when there is a collection of hooks and docs.
users -> user's
No blank line here.
contrib -> contributed
method in
+ * Drupal, which returns an instance of
No blank line here.
Also change
request -> request object's
And it would be useful to say what class the request is and how to get it.
method in
+ * Drupal, which returns an instance of
+ *
\Symfony\Component\HttpFoundation\Session\SessionInterface
. TheTake out "in Drupal".
No CODE tags.
,
get()
and+ *
remove()
.+ *
Are these methods on SessionInterface? Since both the request object and the session object are mentioned, this is slightly ambiguous.
Also no CODE tags.
End previous line with : and remove blank line.
What is a "counter controller"? Where would this go?
Consider shortening this so it fits closer to 80 characters. Maybe make the string:
"Page views: @count"
or something like that, because it would not detract from the example I think?
necessarily is misspelled
Also this is not a sentence. Probably should be combined with previous sentence.
I think backend should be backends also?
and
users => user's
Would be useful to have a link to the State topic here too?
Too many blank lines.
No blank line here
And
contrib -> contributed
The docs say contrib code cannot *access* this information, but then in the paragraph below it just says you cannot *change* the information. Which is correct?
contrib -> contributed
+ * superglobal directly. However, it is recommended to migrate any such code to
No blank line, no CODE tags.
+ * superglobal directly. However, it is recommended to migrate any such code to
+ * the new API.
+ *
Actually I think this whole sections should be removed.
Comment #4
Weilinggu CreditAttribution: Weilinggu commentedI am at Drupalconla, and I am working on this issue.
Comment #5
dipen chaudhary CreditAttribution: dipen chaudhary at QED42 commentedThis patch incorporates comments in #3
@jhodgdon couldn't understand your last comment
You mean all the sections or the backward compatibility section?
Comment #6
dipen chaudhary CreditAttribution: dipen chaudhary at QED42 commentedRemoved trailing spaces.
Comment #7
anavarreThose lines should be wrapped at 80 cols.
Comment #8
jhodgdonIn item 10 of comment #3, I meant that we should not be talking about backwards compatibility -- remove this section entirely. We just don't want to talk about non-recommended APIs in our API docs.
Comment #9
dipen chaudhary CreditAttribution: dipen chaudhary at QED42 commentedUpdated patch for documentation
Comment #10
jhodgdonThanks for the new patch! A few things still need to be fixed:
This second line is now over 80 characters long, so I think this needs a little more wrapping attention. Same for some of the lines farther down... I'll mark them.
Also omit "the" in this second line.
over 80 chars
over 80
these are pretty far under 80 chars and should be rewrapped too.
This is interesting, but how/when/why would this reset() method get called? It's not clear from the code fragment at all, to me at least.
Probably could use a comma before "as".
Trailing spaces on the first two lines.
The link text doesn't make sense in the sentence, which would read "... use state topic and store the key ...". So that needs to be fixed. Probably best to make a plain sentence here, then say "See the (link)State topic(endlink) for more information."
Also, I don't think state-entry should be hyphenated.
And maybe this should say "only store the key to the state entry"? [add "only"]?
over 80 chars
I think I may have mentioned this before, but this says "must not be accessed", when I think it just means it can't be *changed*, right?
third-party should be hyphenated
what is "unrelated code"? Maybe this should actually just say that the value cannot be modified and not specify who cannot modify it?
Comment #11
ashutoshsngh CreditAttribution: ashutoshsngh at Srijan | A Material+ Company commentedComment #12
ashutoshsngh CreditAttribution: ashutoshsngh at Srijan | A Material+ Company commentedComment #13
jhodgdonThanks for the new patch -- this is looking a lot better!
There are still a few things to address:
Should only be one blank line here, I think, before the new Sessions topic?
Class namespace needs to start with \ here
In the Drupal project, we use serial commas.
So this should be:
set(), get(), and remove().
This is a bit odd. Normally, "page views" would be "how many times the public has viewed this page", not "how many pages have I visited on this site".
Given that this is a contrived example, and that the (fake) UI is confusing, I think we should either:
a) Explain above the example that it counts the number of pages the user visits (at least, I think that is maybe what it is doing?)
or
b) Change this UI line to make that clearer.
In either case, a bit of explanation about when this controller gets invoked and how would be good. I still do not know what a "counter controller" is, what class it's defined in, how it makes itself known to Drupal, etc. All of that makes this example very confusing. For me, it raises more questions than it answers. If we're going to put in a long example like this, we need to have it be something that really clarifies things.
This sentence could use some punctuation... how about:
Also, third-party session storage ...
I think someone took one of my previous review comments a bit too literally here -- sorry for being confusing! ;)
To make a link, see
https://www.drupal.org/node/1354/#link
(@link ... @endlink tags)
Also, ... this seems to be two sentences combined with the second in the middle?
So I think it should say:
If it is necessary to collect... specific to a user's session, use the State system and only store the key to the state entry in the session. See the State topic for more information.
(and turn "State topic" into a link using @link @endlink)
OK, trying to make this point again... The first sentence says "... must not be accessed...". [This is not accurate, I think, since it can be accessed by reading, right?] The last bit says "... cannot be modified" [this seems more accurate]. But they cannot contradict each other in the same paragraph.
Also please do not make a bullet list unless there is more than one item in the list. If there is only one item to talk about, just say something like "For example".
So. All that taken into account, this can be a lot shorter.
How about:
Some session attributes put into the session by Drupal core should not be modified by contributed and custom code. For example, the 'uid' attribute, which stores the user ID for a logged-in user, must not be modified.
Comment #14
znerol CreditAttribution: znerol commentedThe example counts the number of times a given user visits that particular example page. This is a very common example (the same is used in the php documentation). I do not quite understand how to write that more clear for novice users. Perhaps we should drop the example here and instead move it into the examples module instead?
The aim of this part is to discourage contrib/custom code authors from using that attribute (both read and write access). There are two scenarios when people might be tempted to use that value:
For the former, people should use the
current_user
service, for the latter there isaccount_switcher
.Comment #15
znerol CreditAttribution: znerol commentedFiled #2502303: Add a session example on the examples project.
Comment #16
jhodgdonI think we should have the example in there. I just think it needs more explanation, and if possible it should be shorter.
So. The current patch says:
Let's change the preceding sentence to say something like this (assuming this is accurate -- I **still** don't know where this code goes or how it would be called for sure):
The following code fragment, which would be called from the controller for a page to count the number of times the page has been visited by the current user, illustrates how to use session information:
Then put in the counter() method example.
Then for the reset() method, you also need to explain in a similar way where the code would go and how it would be called. I have no idea. I think it's important to put the code in, but it needs an explanation.
Thanks!
Comment #17
jhodgdonOh, and regarding the explanation for the uid attribute, OK... So maybe we should say that you shouldn't assume that information in the session can be used the way you think you can, and then give that explanation you just gave in comment #14 about the uid? Because that is a great example of why you can't make assumptions.
And then we should probably also say that you should never modify session information that you didn't put in there yourself.
Comment #18
andypostAnot6her thing how to extend section of "uid" if any other core parts will start to store things, like #2430379: Add explicit test for session based language negotiation
So there should be a d.o page about
Comment #19
cpj CreditAttribution: cpj commentedI moved the patch text to the new location of core.api.php.
I also slightly changed the section on "If it is necessary to collect a non-trivial amount of data", to say this should be stored using the Key/Value store, not the State store, because State is site-specific, not user-session-specific
Comment #20
cpj CreditAttribution: cpj commentedImproved the text again on using Key / Value instead of State
Comment #21
cpj CreditAttribution: cpj commentedComment #22
almaudoh CreditAttribution: almaudoh commentedLet's have some reviews.
Comment #24
jhodgdonThanks! This is looking much better than the last time I reviewed it. It still needs a small amount of work, I think:
Start namespaces with \ in docs
What does "session becomes empty" mean? It seems to imply that there is no session data; if that is what it means, let's say that instead of saying "session becomes empty".
Namespaces need to start with \ in docs
We use serial commas in Drupal docs, so we need a comma after get() here.
The array at the end of this line should I think be:
['@count' => $count]
Add a comma after ] to conform to our coding standards.
maybe add
, to avoid name conflicts.
at the end?
Is there only 1 to mention?
Last line needs 2 spaces of indentation here.
Also this section needs some additional a/an/the added to read better.
Comment #25
priya.chat CreditAttribution: priya.chat at Publicis Sapient for Publicis Sapient commentedHello, I have applied the last patch added by @cpj. Made changes as mentioned by @jhodgdon.
I am not very much clear about the points 1, 9 & 10. So I have covered other points in the patch. Please review this.
Comment #26
jhodgdonHere are some clarifications:
Point 1: If you use a class with a namespace in docs, like \Drupal\Core\Something, you need to start the class/namespace with a \ so not Drupal\Core\Something but \Drupal\Core\Something.
Point 9: Ah, the next line of context should have been included... So the text says "Reserved attributes include" but the next lines only have 1 attribute discussed. So I was just wondering if there were any more? You can ignore this.
Point 10: The grammar is not very good. in these three sentences and the words "a", "an", and "the" need to be added in various places to make it read better. Also all three lines in this area need to have the same indentation.
Also PLEASE make an interdiff file when you upload a new patch and fix things mentioned in a review. It makes it easier for people to see what you have changed. In this case, please fix these points and make an interdiff starting from patch in #20. Thanks! Your patch will not be reviewed without this.
Comment #27
jmarkel CreditAttribution: jmarkel as a volunteer and commentedSymfony\Component\HttpFoundation\Request::getSession() on line 2441 should start with a leading backslash, the way \Symfony\Component\HttpFoundation\Session\SessionInterface does on line 2443.
Comment #31
joachim CreditAttribution: joachim commentedHere's a rerolled patch with all the points in #26 and #27 taken care of.
I simplified this bit, as I don't think we need to explain here how Drupal core handles user login. We can just say the uid of an authenticated user.
> Also PLEASE make an interdiff file when you upload a new patch and fix things mentioned in a review.
Shameless plug: I've released a script that automates making patches and interdiffs: https://github.com/joachim-n/dorgflow
Comment #34
mlncn CreditAttribution: mlncn at Agaric for Drutopia, Teachers with GUTS commentedDear testbot, please test against 8.6
Comment #35
borisson_This new documentation is great, and it does apply to 8.6.x. The remarks from #26 and #27 have been resolved and I couldn't find any other things to change.
Comment #36
alexpottNice improvements.
Committed and pushed e00319e280 to 8.6.x and ece8b9a339 to 8.5.x. Thanks!