To hide behind the word 'Agile' seems like a excuse for poor practice in many places. I am a software engineer, I author business systems that stay running as a single process, without leaking memory, or loosing references. This doesn't apply to webpages. So I am publishing this article as a sketch on why this is a continuous rewrite project.
The start of the project was entirely focussed on being able to render resources, then having resources. Initially, I imported an 'archeocode' library, which I had had written a few years earlier. This code worked without emitting errors, and was probably written on a 2h budget. It created a session object, but was a Class providing OO access to a global variable. Its use case was the constructor which did validation on the session id. This enabled user sessions to work on top of HTTP (using 'sessions' in the lowercase HCI sense), for conserving user effort; never intended for secure sites. With the import, to limit data loss, I made this a Singleton.
This software has an organic growth, as far as features for controlling resource rendering are concerned. In late 2012, I declared freeze on more complex structures in the v1 format, as it was getting unwieldy. I had had plans for a more intelligent v2 format for some time (as a better model of webpages since 2003), and started work on the rebuild to support this. Due to other things consuming my time, and a nasty cold in March; this change took ages. At the end of March, I had completed a list of refactoring, and was using v2 pages.
When logic and structures are more complex, I think unit testing is necessary. This project is increasingly structured to support security. When I looked at Session cookies in Firebug, I realised this needed a rebuild. There had been too many sessions in my /tmp directory, but as they where never used for anything, this wasn't an issue (when there is nothing stored in a session, the ability for malicious people to steal the session means nothing). I had been releasing, and using; rather than being correct.
So I did a rebuild, the new Session class(es) :
- Open a _SESSION in traditional PHP fashion when one is absent/ new;
- Creates a default list of items;
- For non-page requests (i.e. CSS, PNG or JS) trigger my code that doesn't use session_create, so doesn't write out the pragma caching headers. These static resources should be cachable;
- Rejects requests with old session ids;
- Age checks the session itself (rather than just looking at the disk);
- Checks the IP of the client;
- Maintains a session history as breadcrumbs;
- Rebuilds the session id upon permissions change;
- Blocks out the session_id function, for a longer more secure version;
- Access to non-page assets requires currently requires a valid session id (as these shouldn't be the first HTTP request);