From a7175bae31b25f58c50ba498f7539fb3b3a36779 Mon Sep 17 00:00:00 2001
From: Qiang Xue <qiang.xue@gmail.com>
Date: Mon, 11 Nov 2013 20:52:27 -0500
Subject: [PATCH] Refactored Session as suggested in #1172

---
 framework/yii/web/Session.php | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/framework/yii/web/Session.php b/framework/yii/web/Session.php
index 48420bb..b3be392 100644
--- a/framework/yii/web/Session.php
+++ b/framework/yii/web/Session.php
@@ -80,13 +80,11 @@ class Session extends Component implements \IteratorAggregate, \ArrayAccess, \Co
 	 * @var string the name of the session variable that stores the flash message data.
 	 */
 	public $flashVar = '__flash';
-
 	/**
 	 * @var array parameter-value pairs to override default session cookie parameters that are used for session_set_cookie_params() function
 	 * @see http://www.php.net/manual/en/function.session-set-cookie-params.php
-	 * @see setCookieParams()
 	 */
-	public $cookieParams = ['httpOnly' => true];
+	private $_cookieParams = ['httpOnly' => true];
 
 	/**
 	 * Initializes the application component.
@@ -137,7 +135,7 @@ class Session extends Component implements \IteratorAggregate, \ArrayAccess, \Co
 				);
 			}
 
-			$this->setCookieParams($this->cookieParams);
+			$this->setCookieParamsInternal();
 
 			@session_start();
 
@@ -265,26 +263,36 @@ class Session extends Component implements \IteratorAggregate, \ArrayAccess, \Co
 			$params['httpOnly'] = $params['httponly'];
 			unset($params['httponly']);
 		}
-		return $params;
+		return array_merge($params, $this->_cookieParams);
 	}
 
 	/**
 	 * Sets the session cookie parameters.
-	 * The effect of this method only lasts for the duration of the script.
-	 * Call this method before the session starts.
+	 * The cookie parameters passed to this method will be merged with the result
+	 * of `session_get_cookie_params()`.
 	 * @param array $value cookie parameters, valid keys include: `lifetime`, `path`, `domain`, `secure` and `httpOnly`.
 	 * @throws InvalidParamException if the parameters are incomplete.
 	 * @see http://us2.php.net/manual/en/function.session-set-cookie-params.php
 	 */
-	public function setCookieParams($value)
+	public function setCookieParams(array $value)
+	{
+		$this->_cookieParams = $value;
+	}
+
+	/**
+	 * Sets the session cookie parameters.
+	 * This method is called by [[open()]] when it is about to open the session.
+	 * @throws InvalidParamException if the parameters are incomplete.
+	 * @see http://us2.php.net/manual/en/function.session-set-cookie-params.php
+	 */
+	private function setCookieParamsInternal()
 	{
 		$data = $this->getCookieParams();
 		extract($data);
-		extract($value);
 		if (isset($lifetime, $path, $domain, $secure, $httpOnly)) {
 			session_set_cookie_params($lifetime, $path, $domain, $secure, $httpOnly);
 		} else {
-			throw new InvalidParamException('Please make sure these parameters are provided: lifetime, path, domain, secure and httpOnly.');
+			throw new InvalidParamException('Please make sure cookieParams contains these elements: lifetime, path, domain, secure and httpOnly.');
 		}
 	}