- 
                Notifications
    You must be signed in to change notification settings 
- Fork 8k
Description
Description
In the Enums RFC then it was stated that Enums will have their own code when serialised. It then mentions:
On deserialization, if an enum and case cannot be found to match a serialized value a warning will be issued and false returned. (That is standard existing behavior for unserialize().)
While the above does hold for enums, this isn't the case for non-enum classes - instead then __PHP_Incomplete_Class is returned and importantly, behind the scenes the original class serialisation is maintained. This is actually the existing behaviour if the serialisation string is entirely invalid.
The pre-existing behaviour with sessions in particular, means you can have a 1st party class and a scalar (for instance), and a seperate file can load that session, change the scalar and (successfully) save the session without affecting the stored 1st party class.
In the implementation of enums however, it is implemented as per the RFC - on either an enum being stored in a session or serialised via serialize call; and then later deserialized, a warning is thrown and false is returned instead of an array. Even worse, if this is a session then the error 'Failed to decode session object. Session has been destroyed' is raised and the entire session file is destroyed (even if it no changes are made (and lazy_write is enabled) or read_and_close is used - so you wouldn't expect the script to modify the session.
There are some test links that show the behaviour (https://3v4l.org/mLGPa, https://3v4l.org/u130I), with the session-based one showing the behaviour reproduced here:
class X{}
session_start();
$_SESSION["x"] = new X();
$_SESSION["y"] = "5";
echo session_encode();
// Echoes:  x|O:1:"X":0:{}y|s:1:"5";
session_start();
session_decode('x|O:1:"X":0:{}y|s:1:"5";');
$_SESSION["y"] = 6;
echo session_encode();
die();
print_r($_SESSION);
/* Echos:
Array
(
    [x] => __PHP_Incomplete_Class Object
        (
            [__PHP_Incomplete_Class_Name] => X
        )
    [y] => 5
)
*/
enum Y{
    case Y;
}
session_start();
$_SESSION["x"] = Y::Y;
$_SESSION["y"] = "5";
echo session_encode();
// Echoes: x|E:3:"Y:Y";y|s:1:"5";
session_start();
session_decode('x|E:3:"Y:Y";y|s:1:"5";');
print_r($_SESSION);
/* Echoes: 
Warning: session_decode(): Class 'Y' not found in /in/1IEIF on line 36
Warning: session_decode(): Failed to decode session object. Session has been destroyed in /in/1IEIF on line 36
Array
(
)
*/
PHP Version
PHP 8.3.22 (cli) (built: Jun  6 2025 08:44:51) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.22, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.22, Copyright (c), by Zend Technologies
Operating System
No response