magneto/magento2#12362 Do not remove session instantly

[swnsma]

Give configurable time delay to capture session id.
Remove old sessions only after new session id cookie was received.

Description

Current pull request contains fix for the issue #12362.
Problem related to specific case of session work in PHP.
In case of call function 'session_regenerate_id(true)' there is required to be sure that renewed cookie will be successfully delivered to the browser.
Current PR provide functionality to keep old session till customer will not receive cookie.

Fixed Issues

1. Concurrent (quick reload) requests on checkout cause cart to empty - related to session_regenerate_id #12362: Concurrent (quick reload) requests on checkout cause cart to empty - related to session_regenerate_id
2. [2.1.11] Add to cart, try to checkout, cart is empty but mini-cart has items. #13427: [2.1.11] Add to cart, try to checkout, cart is empty but mini-cart has items.
3. Hit fast twice F5 on checout page, customer loggs out automatically #4301: Hit fast twice F5 on checout page, customer loggs out automatically

Manual testing scenarios

Pre-Conditions

1. Magento 2.2.0
2. PHP7

Steps to reproduce

1. Add product to cart
2. Navigate to checkout
3. Reload the page as quick as possible (F5 multiple times)

Expected result

1. Reload the checkout as usual
2. Cart contains session items

Actual result

1. Redirects to empty cart

Contribution checklist

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• All automated tests passed successfully (all builds on Travis CI are green)

[larsroettig]

Hi @swnsma,
Thank you for contribution. Currently, I cannot accept your Pull request for merge. First, the codacy build is red see review comments. The second problem is the static test see https://travis-ci.org/magento/magento2/jobs/360827154

Best regards,

Lars

[larsroettig]

sessionStart accesses the super-global variable $_SESSION.
https://app.codacy.com/app/shyamranpara/magento2/pullRequest?prid=1494337

[swnsma]

@larsroettig, thank you for the review.
The problem has been fixed.

[larsroettig]

regenerateSessionId accesses the super-global variable $_SESSION.

Superglobal variables in PHP should not be accessed directly. Instead of writing:

$name = $_POST['foo'];
You should encapsulate the call in an single class. Most PHP frameworks already wrap Superglobals into a request object so you can use that.

https://app.codacy.com/app/shyamranpara/magento2/pullRequest?prid=1494337

[swnsma]

@larsroettig, thank you for the review.
The problem has been fixed.

[orlangur]

Apply changes against 2.2-develop branch first so that this PR can be processed.

[orlangur]

I don't think putting such a sensitive configuration option into Admin UI is a good idea. 300 seconds is a huge delay, I believe we should pick up some reasonable value.

Ideally solution must not involve any timeout at all allowing just to create new session seamlessly.

[swnsma]

@orlangur, thank you for the review.
I agree that such configuration should not be placed in Admin UI.

About timeout, I have added it to the solution as additional security frontier in session recovery.
Old session will be removed as soon as response with new session id will be received.
And this timeout is for that cases when new session was generated but response with new session id will never be received.

Unfortunately, one of PHP session flaw is that you can not be sure that cookie with session id was delivered to browser or no.

About timeout, I agree that 5m is a huge delay. I have decreased the default number to 30s.

[swnsma]

Pull request into 2.2-develop has been created: #14487