Broken Session
Fix flash data handling and session cleanup
Challenge: Broken Session
Difficulty: Medium
Bugs: 2
Time: 60 minutes
The Problem
The session management system has two bugs affecting flash data.
Symptoms:
- Flash data not retrieved correctly
- Flash messages persist across multiple requests (should disappear after one)
Setup
Backup Current Files
cp framework/Core/Session.php framework/Core/Session.php.backupCopy Broken Files
cp challenges/broken-session/framework/Core/Session.php framework/Core/
cp -r challenges/broken-session/Http/controllers/contact Http/controllers/Add Routes
cat challenges/broken-session/routes/routes.php >> routes/routes.phpTest the Bugs
- Visit
/contact - Submit form with empty fields (validation errors won't show!)
- Submit valid form (success message persists after refresh!)
Bug #1: Session::get() Checks Wrong Order
The Symptom
Flash data is not retrieved correctly.
What's Happening
// BROKEN - checks regular session first
public static function get($key, $default = null) {
return $_SESSION[$key] ?? $_SESSION['_flash'][$key] ?? $default;
}This checks regular session data before flash data, so flash data is never retrieved if a regular session key exists.
Why It's Broken
Flash data should have priority:
Request 1: Session::flash('errors', [...])
→ Stored in $_SESSION['_flash']['errors']
Request 2: Session::get('errors')
→ Should check _flash first
→ But checks $_SESSION['errors'] first (doesn't exist)
→ Never finds the flash data!The Fix
Check flash data first:
// ✅ CORRECT
public static function get($key, $default = null) {
return $_SESSION['_flash'][$key] ?? $_SESSION[$key] ?? $default;
}Lesson: Flash data should have priority over regular session data!
Bug #2: unflash() is Disabled
The Symptom
Flash messages persist across multiple requests.
What's Happening
// BROKEN - cleanup commented out
public static function unflash() {
// unset($_SESSION['_flash']);
}Without cleanup, flash data never gets removed and appears on every request.
Why It's Broken
Flash data lifecycle:
Request 1: Session::flash('success', 'Saved!')
→ $_SESSION['_flash']['success'] = 'Saved!'
Request 2: Session::get('success')
→ Returns 'Saved!'
→ Session::unflash() should remove it
→ But it's commented out!
Request 3: Session::get('success')
→ Still returns 'Saved!' (should be null)The Fix
Uncomment the cleanup:
// ✅ CORRECT
public static function unflash() {
unset($_SESSION['_flash']);
}Flash Data Lifecycle
Understanding how flash data should work:
┌─────────────────────────────────────────┐
│ Request 1: Store Flash Data │
│ Session::flash('key', 'value') │
│ → $_SESSION['_flash']['key'] = 'value' │
└──────────────┬──────────────────────────┘
↓
┌─────────────────────────────────────────┐
│ Request 2: Retrieve Flash Data │
│ Session::get('key') │
│ → Returns 'value' │
│ → Session::unflash() called at end │
│ → $_SESSION['_flash'] removed │
└──────────────┬──────────────────────────┘
↓
┌─────────────────────────────────────────┐
│ Request 3: Flash Data Gone │
│ Session::get('key') │
│ → Returns null │
└─────────────────────────────────────────┘Verification
After fixing both bugs, run verification:
php artisan verify broken-sessionExpected output:
╔══════════════════════════════════════════════════════════════╗
║ DALT Challenge Verification System ║
╚══════════════════════════════════════════════════════════════╝
Verifying: broken-session
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✓ Session::get() checks flash data first
✓ Session::unflash() is enabled
✓ Flash data cleanup works correctly
✓ No problematic code found
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Results: 4/4 tests passed
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ All tests passed! Challenge complete!Testing Your Fix
Test Validation Errors
- Visit
http://localhost:8000/contact - Submit empty form
- Should see error messages
- Refresh page - errors should disappear
Test Old Input
- Fill form partially
- Submit with some fields empty
- Should see your input preserved in valid fields
Test Success Message
- Submit valid form
- Should see success message
- Refresh page - message should disappear
Success Criteria
When fixed correctly:
- ✅ Validation errors display after form submission
- ✅ Old form input is preserved after validation errors
- ✅ Success messages display once and disappear after refresh
- ✅ Flash data is cleaned up properly
Learning Objectives
After completing this challenge, you understand:
- ✅ How sessions persist data across requests
- ✅ The difference between regular and flash session data
- ✅ Why flash data must be cleaned up
- ✅ How form validation uses flash data
- ✅ The flash data lifecycle
Debugging Tips
Check Session Contents
dd($_SESSION);Trace Flash Data
// After flashing
dd($_SESSION['_flash']);Test Cleanup
Refresh the page multiple times and check if flash persists.
Files to Investigate
framework/Core/Session.php- Session management (bugs here!)public/index.php- See whereSession::unflash()is calledHttp/controllers/contact/submit.php- See how flash data is storedHttp/controllers/contact/form.php- See how flash data is retrieved
Cleanup
After completing the challenge:
# Restore original Session class
cp framework/Core/Session.php.backup framework/Core/Session.php
# Remove challenge controllers (optional)
rm -rf Http/controllers/contactCongratulations! 🎉
You've completed all five challenges! You now understand:
- ✅ Routing and parameter extraction
- ✅ Middleware execution and validation
- ✅ Authentication and password security
- ✅ Database queries and SQL injection prevention
- ✅ Session management and flash data