yiisoft · samdark · Mar 9, 2019 · Feb 19, 2018 · Feb 20, 2018 · Feb 23, 2018
diff --git a/framework/CHANGELOG.md b/framework/CHANGELOG.md
@@ -4,6 +4,7 @@ Yii Framework 2 Change Log
 2.0.17 under development
 ------------------------
 
+- Bug #9438, #13740, #15037: Handle DB session callback custom fields before session closed (lubosdz)
 - Bug #17185: Fixed `AssetManager` timestamp appending when a file is published manually (GHopperMSK)
 - Bug #17156: Fixes PHP 7.2 warning when a data provider has no data as a parameter for a GridView (evilito)
 - Bug #17083: Fixed `yii\validators\EmailValidator::$checkDNS` tells that every domain is correct on alpine linux (mikk150)

diff --git a/framework/web/DbSession.php b/framework/web/DbSession.php
@@ -76,6 +76,11 @@ class DbSession extends MultiFieldSession
      */
     public $sessionTable = '{{%session}}';
 
+    /**
+    * @var array Session fields to be written into session table columns
+    * @since 2.0.17
+    */
+    protected $fields = [];
 
     /**
      * Initializes the DbSession component.
@@ -136,6 +141,19 @@ public function regenerateID($deleteOldSession = false)
         }
     }
 
+    /**
+     * Ends the current session and store session data.
+     * @since 2.0.17
+     */
+    public function close()
+    {
+        if ($this->getIsActive()) {
+            // prepare writeCallback fields before session closes
+            $this->fields = $this->composeFields();
+            YII_DEBUG ? session_write_close() : @session_write_close();
+        }
+    }
+
     /**
      * Session read handler.
      * @internal Do not call this method directly.
@@ -169,14 +187,28 @@ public function writeSession($id, $data)
         // exception must be caught in session write handler
         // https://secure.php.net/manual/en/function.session-set-save-handler.php#refsect1-function.session-set-save-handler-notes
         try {
-            $fields = $this->composeFields($id, $data);
-            $fields = $this->typecastFields($fields);
-            $this->db->createCommand()->upsert($this->sessionTable, $fields)->execute();
+            // ensure backwards compatability (fixed #9438)
+            if ($this->writeCallback && !$this->fields) {
+                $this->fields = $this->composeFields();
+            }
+            // ensure data consistency
+            if (!isset($this->fields['data'])) {
+                $this->fields['data'] = $data;
+            } else {
+                $_SESSION = $this->fields['data'];
+            }
+            // ensure 'id' and 'expire' are never affected by [[writeCallback]]
+            $this->fields = array_merge($this->fields, [
+                'id' => $id,
+                'expire' => time() + $this->getTimeout(),
+            ]);
+            $this->fields = $this->typecastFields($this->fields);
+            $this->db->createCommand()->upsert($this->sessionTable, $this->fields)->execute();
+            $this->fields = [];
         } catch (\Exception $e) {
             Yii::$app->errorHandler->handleException($e);
             return false;
         }
-
         return true;
     }
 

diff --git a/framework/web/MultiFieldSession.php b/framework/web/MultiFieldSession.php
@@ -89,30 +89,19 @@ public function getUseCustomStorage()
 
     /**
      * Composes storage field set for session writing.
-     * @param string $id session id
-     * @param string $data session data
+     * @param string $id Optional session id
+     * @param string $data Optional session data
      * @return array storage fields
      */
-    protected function composeFields($id, $data)
+    protected function composeFields($id = null, $data = null)
     {
-        $fields = [
-            'data' => $data,
-        ];
-        if ($this->writeCallback !== null) {
-            $fields = array_merge(
-                $fields,
-                call_user_func($this->writeCallback, $this)
-            );
-            if (!is_string($fields['data'])) {
-                $_SESSION = $fields['data'];
-                $fields['data'] = session_encode();
-            }
+        $fields = $this->writeCallback ? call_user_func($this->writeCallback, $this) : [];
+        if($id !== null){
+            $fields['id'] = $id;
+        }
+        if($data !== null){
+            $fields['data'] = $data;
         }
-        // ensure 'id' and 'expire' are never affected by [[writeCallback]]
-        $fields = array_merge($fields, [
-            'id' => $id,
-            'expire' => time() + $this->getTimeout(),
-        ]);
         return $fields;
     }