Michael Howell

PHP sinkhole #1: `$_SESSION` silently eats exceptions while inflating

Mar 9, 2016

Let’s imagine you’re using a custom classloader, you’re storing objects in $_SESSION, and the classloader throws an exception for some reason while inflating it. When that happens, PHP (at least PHP5) does not throw an exception or even a warning when session_start() is called. It will simply give you an empty session variable.

It’s kind of silly to spend days trying to figure that out, and it’s not like anybody would actually make a mistake like that. It’s also kind of silly to think that this is a bug in PHP, rather than a feature, but I’m a bit anal, so I think things like this should be documented somewhere. So I’ve done it.