$_SESSION vs. drupal_set_session warning wrong
| Project: | Coder |
| Version: | 7.x-1.x-dev |
| Component: | Review/Rules |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs work |
Jump to:
Instruction "Use drupal_set_session instead of $_SESSION (Drupal Docs)." drupal_set_session() doesn't exist.
The instruction links to http://drupal.org/node/224333#drupal_set_session, which says:
"[NEEDS UPDATE] Per discussion in IRC with Damien:
"- from a DX perspective, yes, no change
"- but the reverse proxy changes are still there, including the lazy session start
"- so we probably need to keep a paragraph about that
"- we still do the same thing, but developers can access $_SESSION directly
"- what we need here is a paragraph that tell module developers not to over use the session, and to clean up session data as soon as possible"
I'm not sure whether this kind of advice is in-scope for coder_review or whether the test should just be removed. I favour removal, as it clutters the interface if this warns you for every line you (legitimately) use $_SESSION.
#1
I think it really needs to stay. Don't we have an 'informational warning' level? Thats perfect for this. The real problem is anon users with $_SESSION. to be avoided.