Minz allow parallel sessions (#3096)

* Minz allow parallel sessions

#fix https://github.com/FreshRSS/FreshRSS/issues/3093

* Array optimisation

* Array optimisation missing

* Reduce direct access to $_SESSION except in install process

* Fix session start headers warning

* Use cookie only the first time the session is started:
`PHP Warning:  session_start(): Cannot start session when headers
already sent in /var/www/FreshRSS/lib/Minz/Session.php on line 39`

* New concept of volatile session for API calls

Optimisation: do not use cookies or local storage at all for API calls
without a Web session
Fix warning:

```
PHP Warning:  session_destroy(): Trying to destroy uninitialized session
in Unknown on line 0
```

* Only call Minz_Session::init once in our index

It was called twice (once indirectly via FreshRSS->init())

* Whitespace

* Mutex for notifications

Implement mutex for notifications
https://github.com/FreshRSS/FreshRSS/pull/3208#discussion_r499509809

* Typo

* Install script is not ready for using Minz_Session

3 files changed, 66 insertions, 6 deletions

diff --git a/lib/Minz/Error.php b/lib/Minz/Error.php
index 3e4a3e8f3..2fb5a4d5d 100644
--- a/lib/Minz/Error.php
+++ b/lib/Minz/Error.php
@@ -24,8 +24,10 @@ class Minz_Error {
 		$error_filename = APP_PATH . '/Controllers/errorController.php';
 
 		if (file_exists ($error_filename)) {
-			Minz_Session::_param('error_code', $code);
-			Minz_Session::_param('error_logs', $logs);
+			Minz_Session::_params([
+				'error_code' => $code,
+				'error_logs' => $logs,
+			]);
 
 			Minz_Request::forward (array (
 				'c' => 'error'
diff --git a/lib/Minz/Request.php b/lib/Minz/Request.php
index fc333244f..271bcf738 100644
--- a/lib/Minz/Request.php
+++ b/lib/Minz/Request.php
@@ -269,13 +269,14 @@ class Minz_Request {
 	}
 
 	private static function setNotification($type, $content) {
-		//TODO: Will need to ensure non-concurrency when landing https://github.com/FreshRSS/FreshRSS/pull/3096
+		Minz_Session::lock();
 		$requests = Minz_Session::param('requests', []);
 		$requests[self::requestId()] = [
 				'time' => time(),
 				'notification' => [ 'type' => $type, 'content' => $content ],
 			];
 		Minz_Session::_param('requests', $requests);
+		Minz_Session::unlock();
 	}
 
 	public static function setGoodNotification($content) {
@@ -288,7 +289,7 @@ class Minz_Request {
 
 	public static function getNotification() {
 		$notif = null;
-		//TODO: Will need to ensure non-concurrency when landing https://github.com/FreshRSS/FreshRSS/pull/3096
+		Minz_Session::lock();
 		$requests = Minz_Session::param('requests');
 		if ($requests) {
 			//Delete abandonned notifications
@@ -301,6 +302,7 @@ class Minz_Request {
 			}
 			Minz_Session::_param('requests', $requests);
 		}
+		Minz_Session::unlock();
 		return $notif;
 	}
 
diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php
index 97b15c4d0..cb0e5336e 100644
--- a/lib/Minz/Session.php
+++ b/lib/Minz/Session.php
@@ -4,18 +4,51 @@
  * La classe Session gère la session utilisateur
  */
 class Minz_Session {
+	private static $volatile = false;
+
+	/**
+	 * For mutual exclusion.
+	 */
+	private static $locked = false;
+
+	public static function lock() {
+		if (!self::$volatile && !self::$locked && session_start()) {
+			self::$locked = true;
+		}
+		return self::$locked;
+	}
+
+	public static function unlock() {
+		if (!self::$volatile && session_write_close()) {
+			self::$locked = false;
+		}
+		return self::$locked;
+	}
+
 	/**
 	 * Initialise la session, avec un nom
 	 * Le nom de session est utilisé comme nom pour les cookies et les URLs(i.e. PHPSESSID).
 	 * Il ne doit contenir que des caractères alphanumériques ; il doit être court et descriptif
+	 * If the volatile parameter is true, then no cookie and not session storage are used.
+	 * Volatile is especially useful for API calls without cookie / Web session.
 	 */
-	public static function init($name) {
+	public static function init($name, $volatile = false) {
+		self::$volatile = $volatile;
+		if (self::$volatile) {
+			$_SESSION = [];
+			return;
+		}
+
 		$cookie = session_get_cookie_params();
 		self::keepCookie($cookie['lifetime']);
 
 		// démarre la session
 		session_name($name);
+		//When using cookies (default value), session_stars() sends HTTP headers
 		session_start();
+		session_write_close();
+		//Use cookie only the first time the session is started to avoid resending HTTP headers
+		ini_set('session.use_cookies', '0');
 	}
 
 
@@ -35,13 +68,34 @@ class Minz_Session {
 	 * @param $v la valeur à attribuer, false pour supprimer
 	 */
 	public static function _param($p, $v = false) {
+		if (!self::$volatile && !self::$locked) {
+			session_start();
+		}
 		if ($v === false) {
 			unset($_SESSION[$p]);
 		} else {
 			$_SESSION[$p] = $v;
 		}
+		if (!self::$volatile && !self::$locked) {
+			session_write_close();
+		}
 	}
 
+	public static function _params($keyValues) {
+		if (!self::$volatile && !self::$locked) {
+			session_start();
+		}
+		foreach ($keyValues as $k => $v) {
+			if ($v === false) {
+				unset($_SESSION[$k]);
+			} else {
+				$_SESSION[$k] = $v;
+			}
+		}
+		if (!self::$volatile && !self::$locked) {
+			session_write_close();
+		}
+	}
 
 	/**
 	 * Permet d'effacer une session
@@ -50,7 +104,9 @@ class Minz_Session {
 	public static function unset_session($force = false) {
 		$language = self::param('language');
 
-		session_destroy();
+		if (!self::$volatile) {
+			session_destroy();
+		}
 		$_SESSION = array();
 
 		if (!$force) {