Session not initialized correctly #34
Description
This might be related to #27.
When any code part tries to access session data via session() but the session hasn't started yet, it will start one automatically. The start() method in the session class does not check for cookie settings defined in the auth config and starts it with default values that cannot get changed anymore.
The start() method should follow the same code as the User class in the Auth module does and take over the config if it is present:
public static function start()
{
if (session_status() !== PHP_SESSION_ACTIVE) {
/* Start: added code */
if (class_exists('\Leaf\Auth\Config')) {
session_set_cookie_params(\Leaf\Auth\Config::get('session.cookie'));
}
/* End: added code */
session_start();
}
}
Maybe the User class in the Auth module should also not directly use session_* methods but instead call Session::start() and Session::regenerate() so that it is clear that all session functionality goes over the Session class.
I ran into this issue here because some code part called session()->id() to get the session id if a session was active. The expectation was not that this would start the session but that it would return the session id only if a session was active. Similar to PHPs native session_id(). Maybe this behaviour should be changed or there should be a method on the Session class that can be used to check whether a session is active, e.g. session()->isActive().