Previous Next

Global Session Management

The default behavior of sessions can be modified using the static methods of Zend_Session. All management and manipulation of global session management occurs using Zend_Session, including configuration of the » usual options provided by ext/session, using Zend_Session::setOptions(). For example, failure to insure the use of a safe save_path or a unique cookie name by ext/session using Zend_Session::setOptions() may result in security issues.

Configuration Options

When the first session namespace is requested, Zend_Session will automatically start the PHP session, unless already started with Zend_Session::start(). The underlying PHP session will use defaults from Zend_Session, unless modified first by Zend_Session::setOptions().

To set a session configuration option, include the basename (the part of the name after "session.") as a key of an array passed to Zend_Session::setOptions(). The corresponding value in the array is used to set the session option value. If no options are set by the developer, Zend_Session will utilize recommended default options first, then the default php.ini settings. Community feedback about best practices for these options should be sent to » fw-auth@lists.zend.com.

Example #1 Using Zend_Config to Configure Zend_Session

To configure this component using Zend_Config_Ini, first add the configuration options to the INI file:

; Accept defaults for production
[production]
; bug_compat_42
; bug_compat_warn
; cache_expire
; cache_limiter
; cookie_domain
; cookie_lifetime
; cookie_path
; cookie_secure
; entropy_file
; entropy_length
; gc_divisor
; gc_maxlifetime
; gc_probability
; hash_bits_per_character
; hash_function
; name should be unique for each PHP application sharing the same
; domain name
name = UNIQUE_NAME
; referer_check
; save_handler
; save_path
; serialize_handler
; use_cookies
; use_only_cookies
; use_trans_sid

; remember_me_seconds = 
; strict = on|off

; Development inherits configuration from production, but overrides
; several values
[development : production]
; Don't forget to create this directory and make it rwx (readable and
; modifiable) by PHP.
save_path = /home/myaccount/zend_sessions/myapp
use_only_cookies = on
; When persisting session id cookies, request a TTL of 10 days
remember_me_seconds = 864000

Next, load the configuration file and pass its array representation to Zend_Session::setOptions():

$config = new Zend_Config_Ini('myapp.ini', 'development');

Zend_Session::setOptions($config->toArray());

Most options shown above need no explanation beyond that found in the standard PHP documentation, but those of particular interest are noted below.

  • boolean strict - disables automatic starting of Zend_Session when using new Zend_Session_Namespace().

  • integer remember_me_seconds - how long should session id cookie persist, after user agent has ended (e.g., browser application terminated).

  • string save_path - The correct value is system dependent, and should be provided by the developer using an absolute path to a directory readable and writable by the PHP process. If a writable path is not supplied, then Zend_Session will throw an exception when started (i.e., when start() is called).

    Note: Security Risk

    If the path is readable by other applications, then session hijacking might be possible. if the path is writable by other applications, then » session poisoning might be possible. If this path is shared with other users or other PHP applications, various security issues might occur, including theft of session content, hijacking of sessions, and collision of garbage collection (e.g., another user's application might cause PHP to delete your application's session files).

    For example, an attacker can visit the victim's website to obtain a session cookie. Then, he edits the cookie path to his own domain on the same server, before visiting his own website to execute var_dump($_SESSION). Armed with detailed knowledge of the victim's use of data in their sessions, the attacker can then modify the session state (poisoning the session), alter the cookie path back to the victim's website, and then make requests from the victim's website using the poisoned session. Even if two applications on the same server do not have read/write access to the other application's save_path, if the save_path is guessable, and the attacker has control over one of these two websites, the attacker could alter their website's save_path to use the other's save_path, and thus accomplish session poisoning, under some common configurations of PHP. Thus, the value for save_path should not be made public knowledge and should be altered to a secure location unique to each application.

  • string name - The correct value is system dependent and should be provided by the developer using a value unique to the application.

    Note: Security Risk

    If the php.ini setting for session.name is the same (e.g., the default "PHPSESSID"), and there are two or more PHP applications accessible through the same domain name then they will share the same session data for visitors to both websites. Additionally, possible corruption of session data may result.

  • boolean use_only_cookies - In order to avoid introducing additional security risks, do not alter the default value of this option.

    Note: Security Risk

    If this setting is not enabled, an attacker can easily fix victim's session ids, using links on the attacker's website, such as http://www.example.com/index.php?PHPSESSID=fixed_session_id. The fixation works, if the victim does not already have a session id cookie for example.com. Once a victim is using a known session id, the attacker can then attempt to hijack the session by pretending to be the victim, and emulating the victim's user agent.

Error: Headers Already Sent

If you see the error message, "Cannot modify header information - headers already sent", or, "You must call ... before any output has been sent to the browser; output started in ...", then carefully examine the immediate cause (function or method) associated with the message. Any actions that require sending HTTP headers, such as sending a cookie, must be done before sending normal output (unbuffered output), except when using PHP's output buffering.

  • Using » output buffering often is sufficient to prevent this issue, and may help improve performance. For example, in php.ini, "output_buffering = 65535" enables output buffering with a 64K buffer. Even though output buffering might be a good tactic on production servers to increase performance, relying only on buffering to resolve the "headers already sent" problem is not sufficient. The application must not exceed the buffer size, or the problem will occur whenever the output sent (prior to the HTTP headers) exceeds the buffer size.

  • If a Zend_Session method is involved in causing the error message, examine the method carefully, and make sure its use really is needed in the application. For example, the default usage of destroy() also sends an HTTP header to expire the client-side session cookie. If this is not needed, then use destroy(false), since the instructions to set cookies are sent with HTTP headers.

  • Alternatively, try rearranging the application logic so that all actions manipulating headers are performed prior to sending any output whatsoever.

  • Remove any closing "?>" tags, if they occur at the end of a PHP source file. They are not needed, and newlines and other nearly invisible whitespace following the closing tag can trigger output to the client.

Session Identifiers

Introduction: Best practice in relation to using sessions with Zend Framework calls for using a browser cookie (i.e. a normal cookie stored in your web browser), instead of embedding a unique session identifier in URLs as a means to track individual users. By default this component uses only cookies to maintain session identifiers. The cookie's value is the unique identifier of your browser's session. PHP's ext/session uses this identifier to maintain a unique one-to-one relationship between website visitors, and persistent session data storage unique to each visitor. Zend_Session* wraps this storage mechanism ($_SESSION) with an object-oriented interface. Unfortunately, if an attacker gains access to the value of the cookie (the session id), an attacker might be able to hijack a visitor's session. This problem is not unique to PHP, or Zend Framework. The regenerateId() method allows an application to change the session id (stored in the visitor's cookie) to a new, random, unpredictable value. Note: Although not the same, to make this section easier to read, we use the terms "user agent" and "web browser" interchangeably.

Why?: If an attacker obtains a valid session identifier, an attacker might be able to impersonate a valid user (the victim), and then obtain access to confidential information or otherwise manipulate the victim's data managed by your application. Changing session ids helps protect against session hijacking. If the session id is changed, and an attacker does not know the new value, the attacker can not use the new session id in their attempts to hijack the visitor's session. Even if an attacker gains access to an old session id, regenerateId() also moves the session data from the old session id "handle" to the new one, so no data remains accessible via the old session id.

When to use regenerateId(): Adding Zend_Session::regenerateId() to your Zend Framework bootstrap yields one of the safest and most secure ways to regenerate session id's in user agent cookies. If there is no conditional logic to determine when to regenerate the session id, then there are no flaws in that logic. Although regenerating on every request prevents several possible avenues of attack, not everyone wants the associated small performance and bandwidth cost. Thus, applications commonly try to dynamically determine situations of greater risk, and only regenerate the session ids in those situations. Whenever a website visitor's session's privileges are "escalated" (e.g. a visitor re-authenticates their identity before editing their personal "profile"), or whenever a security "sensitive" session parameter change occurs, consider using regenerateId() to create a new session id. If you call the rememberMe() function, then don't use regenerateId(), since the former calls the latter. If a user has successfully logged into your website, use rememberMe() instead of regenerateId().

Session Hijacking and Fixation

Avoiding » cross-site script (XSS) vulnerabilities helps preventing session hijacking. According to » Secunia's statistics XSS problems occur frequently, regardless of the languages used to create web applications. Rather than expecting to never have a XSS problem with an application, plan for it by following best practices to help minimize damage, if it occurs. With XSS, an attacker does not need direct access to a victim's network traffic. If the victim already has a session cookie, Javascript XSS might allow an attacker to read the cookie and steal the session. for victims with no session cookies, using XSS to inject Javascript, an attacker could create a session id cookie on the victim's browser with a known value, then set an identical cookie on the attacker's system, in order to hijack the victim's session. If the victim visited an attacker's website, then the attacker can also emulate most other identifiable characteristics of the victim's user agent. If your website has an XSS vulnerability, the attacker might be able to insert an AJAX Javascript that secretly "visits" the attacker's website, so that the attacker knows the victim's browser characteristics and becomes aware of a compromised session at the victim website. However, the attacker can not arbitrarily alter the server-side state of PHP sessions, provided the developer has correctly set the value for the save_path option.

By itself, calling Zend_Session::regenerateId() when the user's session is first used, does not prevent session fixation attacks, unless you can distinguish between a session originated by an attacker emulating the victim. At first, this might sound contradictory to the previous statement above, until we consider an attacker who first initiates a real session on your website. The session is "first used" by the attacker, who then knows the result of the initialization ( regenerateId()). The attacker then uses the new session id in combination with an XSS vulnerability, or injects the session id via a link on the attacker's website (works if use_only_cookies = off).

If you can distinguish between an attacker and victim using the same session id, then session hijacking can be dealt with directly. However, such distinctions usually involve some form of usability tradeoffs, because the methods of distinction are often imprecise. For example, if a request is received from an IP in a different country than the IP of the request when the session was created, then the new request probably belongs to an attacker. Under the following conditions, there might not be any way for a website application to distinguish between a victim and an attacker:

  • attacker first initiates a session on your website to obtain a valid session id

  • attacker uses XSS vulnerability on your website to create a cookie on the victim's browser with the same, valid session id (i.e. session fixation)

  • both the victim and attacker originate from the same proxy farm (e.g. both are behind the same firewall at a large company, like AOL)

The sample code below makes it much harder for an attacker to know the current victim's session id, unless the attacker has already performed the first two steps above.

Example #2 Session Fixation

$defaultNamespace = new Zend_Session_Namespace();

if (!isset($defaultNamespace->initialized)) {
    Zend_Session::regenerateId();
    $defaultNamespace->initialized = true;
}

rememberMe(integer $seconds)

Ordinarily, sessions end when the user agent terminates, such as when an end user exits a web browser program. However, your application may provide the ability to extend user sessions beyond the lifetime of the client program through the use of persistent cookies. Use Zend_Session::rememberMe() before a session is started to control the length of time before a persisted session cookie expires. If you do not specify a number of seconds, then the session cookie lifetime defaults to remember_me_seconds, which may be set using Zend_Session::setOptions(). To help thwart session fixation/hijacking, use this function when a user successfully authenticates with your application (e.g., from a "login" form).

forgetMe()

This function complements rememberMe() by writing a session cookie that has a lifetime ending when the user agent terminates.

sessionExists()

Use this method to determine if a session already exists for the current user agent/request. It may be used before starting a session, and independently of all other Zend_Session and Zend_Session_Namespace methods.

destroy(bool $remove_cookie = true, bool $readonly = true)

Zend_Session::destroy() destroys all of the persistent data associated with the current session. However, no variables in PHP are affected, so your namespaced sessions (instances of Zend_Session_Namespace) remain readable. To complete a "logout", set the optional parameter to TRUE (the default) to also delete the user agent's session id cookie. The optional $readonly parameter removes the ability to create new Zend_Session_Namespace instances and for Zend_Session methods to write to the session data store.

If you see the error message, "Cannot modify header information - headers already sent", then either avoid using TRUE as the value for the first argument (requesting removal of the session cookie), or see Error: Headers Already Sent. Thus, Zend_Session::destroy(true) must either be called before PHP has sent HTTP headers, or output buffering must be enabled. Also, the total output sent must not exceed the set buffer size, in order to prevent triggering sending the output before the call to destroy().

Note: Throws

By default, $readonly is enabled and further actions involving writing to the session data store will throw an exception.

stop()

This method does absolutely nothing more than toggle a flag in Zend_Session to prevent further writing to the session data store. We are specifically requesting feedback on this feature. Potential uses/abuses might include temporarily disabling the use of Zend_Session_Namespace instances or Zend_Session methods to write to the session data store, while execution is transferred to view- related code. Attempts to perform actions involving writes via these instances or methods will throw an exception.

writeClose($readonly = true)

Shutdown the session, close writing and detach $_SESSION from the back-end storage mechanism. This will complete the internal data transformation on this request. The optional $readonly boolean parameter can remove write access by throwing an exception upon any attempt to write to the session via Zend_Session or Zend_Session_Namespace.

Note: Throws

By default, $readonly is enabled and further actions involving writing to the session data store will throw an exception. However, some legacy application might expect $_SESSION to remain writable after ending the session via session_write_close(). Although not considered "best practice", the $readonly option is available for those who need it.

expireSessionCookie()

This method sends an expired session id cookie, causing the client to delete the session cookie. Sometimes this technique is used to perform a client-side logout.

setSaveHandler(Zend_Session_SaveHandler_Interface $interface)

Most developers will find the default save handler sufficient. This method provides an object-oriented wrapper for »  session_set_save_handler().

namespaceIsset($namespace)

Use this method to determine if a session namespace exists, or if a particular index exists in a particular namespace.

Note: Throws

An exception will be thrown if Zend_Session is not marked as readable (e.g., before Zend_Session has been started).

namespaceUnset($namespace)

Use Zend_Session::namespaceUnset($namespace) to efficiently remove an entire namespace and its contents. As with all arrays in PHP, if a variable containing an array is unset, and the array contains other objects, those objects will remain available, if they were also stored by reference in other array/objects that remain accessible via other variables. So namespaceUnset() does not perform a "deep" unsetting/deleting of the contents of the entries in the namespace. For a more detailed explanation, please see » References Explained in the PHP manual.

Note: Throws

An exception will be thrown if the namespace is not writable (e.g., after destroy()).

namespaceGet($namespace)

DEPRECATED: Use getIterator() in Zend_Session_Namespace. This method returns an array of the contents of $namespace. If you have logical reasons to keep this method publicly accessible, please provide feedback to the » fw-auth@lists.zend.com mail list. Actually, all participation on any relevant topic is welcome :)

Note: Throws

An exception will be thrown if Zend_Session is not marked as readable (e.g., before Zend_Session has been started).

getIterator()

Use getIterator() to obtain an array containing the names of all namespaces.

Note: Throws

An exception will be thrown if Zend_Session is not marked as readable (e.g., before Zend_Session has been started).

Previous Next
Introduction to Zend Framework
Overview
Installation
Learning Zend Framework
Zend Framework Quick Start
Zend Framework & MVC Introduction
Create Your Project
Create A Layout
Create a Model and Database Table
Create A Form
Congratulations!
Autoloading in Zend Framework
Introduction
Goals and Design
Basic Autoloader Usage
Resource Autoloading
Conclusion
Plugins in Zend Framework
Introduction
Using Plugins
Conclusion
Getting Started with Zend_Layout
Introduction
Using Zend_Layout
Zend_Layout: Conclusions
Getting Started Zend_View Placeholders
Introduction
Basic Placeholder Usage
Standard Placeholders
View Placeholders: Conclusion
Understanding and Using Zend Form Decorators
Introduction
Decorator Basics
Layering Decorators
Rendering Individual Decorators
Creating and Rendering Composite Elements
Conclusion
Getting Started with Zend_Session, Zend_Auth, and Zend_Acl
Building Multi-User Applications With Zend Framework
Managing User Sessions In ZF
Authenticating Users in Zend Framework
Building an Authorization System in Zend Framework
Getting Started with Zend_Search_Lucene
Zend_Search_Lucene Introduction
Lucene Index Structure
Index Opening and Creation
Indexing
Searching
Supported queries
Search result pagination
Getting Started with Zend_Paginator
Introduction
Simple Examples
Pagination Control and ScrollingStyles
Putting it all Together
Zend Framework Reference
Zend_Acl
Introduction
Refining Access Controls
Advanced Usage
Zend_Amf
Introduction
Zend_Amf_Server
Zend_Application
Introduction
Zend_Application Quick Start
Theory of Operation
Examples
Core Functionality
Available Resource Plugins
Zend_Auth
Introduction
Database Table Authentication
Digest Authentication
HTTP Authentication Adapter
LDAP Authentication
Open ID Authentication
Zend_Barcode
Introduction
Barcode creation using Zend_Barcode class
Zend_Barcode Objects
Zend_Barcode Renderers
Zend_Cache
Introduction
The Theory of Caching
Zend_Cache Frontends
Zend_Cache Backends
The Cache Manager
Zend_Captcha
Introduction
Captcha Operation
CAPTCHA Adapters
Zend_CodeGenerator
Introduction
Zend_CodeGenerator Examples
Zend_CodeGenerator Reference
Zend_Config
Introduction
Theory of Operation
Zend_Config_Ini
Zend_Config_Xml
Zend_Config_Writer
Zend_Config_Writer
Zend_Console_Getopt
Introduction
Declaring Getopt Rules
Fetching Options and Arguments
Configuring Zend_Console_Getopt
Zend_Controller
Zend_Controller Quick Start
Zend_Controller Basics
The Front Controller
The Request Object
The Standard Router
The Dispatcher
Action Controllers
Action Helpers
The Response Object
Plugins
Using a Conventional Modular Directory Structure
MVC Exceptions
Zend_Currency
Introduction to Zend_Currency
Using Zend_Currency
Options for currencies
What makes a currency?
Where is the currency?
How does the currency look like?
How much is my currency?
Calculating with currencies
Exchanging currencies
Additional informations on Zend_Currency
Zend_Date
Introduction
Theory of Operation
Basic Methods
Zend_Date API Overview
Creation of Dates
Constants for General Date Functions
Working Examples
Zend_Db
Zend_Db_Adapter
Zend_Db_Statement
Zend_Db_Profiler
Zend_Db_Select
Zend_Db_Table
Zend_Db_Table_Row
Zend_Db_Table_Rowset
Zend_Db_Table Relationships
Zend_Db_Table_Definition
Zend_Debug
Dumping Variables
Zend_Dojo
Introduction
Zend_Dojo_Data: dojo.data Envelopes
Dojo View Helpers
Dojo Form Elements and Decorators
Zend_Dojo build layer support
Zend_Dom
Introduction
Zend_Dom_Query
Zend_Exception
Using Exceptions
Basic usage
Previous Exceptions
Zend_Feed
Introduction
Importing Feeds
Retrieving Feeds from Web Pages
Consuming an RSS Feed
Consuming an Atom Feed
Consuming a Single Atom Entry
Modifying Feed and Entry structures
Custom Feed and Entry Classes
Zend_Feed_Reader
Zend_Feed_Writer
Zend_Feed_Pubsubhubbub
Zend_File
Zend_File_Transfer
Validators for Zend_File_Transfer
Filters for Zend_File_Transfer
Zend_Filter
Introduction
Standard Filter Classes
Filter Chains
Writing Filters
Zend_Filter_Input
Zend_Filter_Inflector
Zend_Form
Zend_Form
Zend_Form Quick Start
Creating Form Elements Using Zend_Form_Element
Creating Forms Using Zend_Form
Creating Custom Form Markup Using Zend_Form_Decorator
Standard Form Elements Shipped With Zend Framework
Standard Form Decorators Shipped With Zend Framework
Internationalization of Zend_Form
Advanced Zend_Form Usage
Zend_Gdata
Introduction
Authenticating with AuthSub
Using the Book Search Data API
Authenticating with ClientLogin
Using Google Calendar
Using Google Documents List Data API
Using Google Health
Using Google Spreadsheets
Using Google Apps Provisioning
Using Google Base
Using Picasa Web Albums
Using the YouTube Data API
Catching Gdata Exceptions
Zend_Http
Introduction
Zend_Http_Client - Advanced Usage
Zend_Http_Client - Connection Adapters
Zend_Http_Cookie and Zend_Http_CookieJar
Zend_Http_Response
Zend_InfoCard
Introduction
Zend_Json
Introduction
Basic Usage
Advanced Usage of Zend_Json
XML to JSON conversion
Zend_Json_Server - JSON-RPC server
Zend_Layout
Introduction
Zend_Layout Quick Start
Zend_Layout Configuration Options
Zend_Layout Advanced Usage
Zend_Ldap
Introduction
API overview
Usage Scenarios
Tools
Object oriented access to the LDAP tree using Zend_Ldap_Node
Getting information from the LDAP server
Serializing LDAP data to and from LDIF
Zend_Loader
Loading Files and Classes Dynamically
The Autoloader
Resource Autoloaders
Loading Plugins
Zend_Locale
Introduction
Using Zend_Locale
Normalization and Localization
Working with Dates and Times
Supported locales
Zend_Log
Overview
Writers
Formatters
Filters
Using the Factory to Create a Log
Zend_Mail
Introduction
Sending via SMTP
Sending Multiple Mails per SMTP Connection
Using Different Transports
HTML E-Mail
Attachments
Adding Recipients
Controlling the MIME Boundary
Additional Headers
Character Sets
Encoding
SMTP Authentication
Securing SMTP Transport
Reading Mail Messages
Zend_Markup
Introduction
Getting Started With Zend_Markup
Zend_Markup Parsers
Zend_Markup Renderers
Zend_Measure
Introduction
Creation of Measurements
Outputting measurements
Manipulating Measurements
Types of measurements
Zend_Memory
Overview
Memory Manager
Memory Objects
Zend_Mime
Zend_Mime
Zend_Mime_Message
Zend_Mime_Part
Zend_Navigation
Introduction
Pages
Containers
Zend_Oauth
Introduction to OAuth
Zend_OpenId
Introduction
Zend_OpenId_Consumer Basics
Zend_OpenId_Provider
Zend_Paginator
Introduction
Usage
Configuration
Advanced usage
Zend_Pdf
Introduction
Creating and Loading PDF Documents
Save Changes to PDF Documents
Working with Pages
Drawing
Interactive Features
Document Info and Metadata
Zend_Pdf module usage example
Zend_ProgressBar
Zend_ProgressBar
Zend_Queue
Introduction
Example usage
Framework
Adapters
Customizing Zend_Queue
Stomp
Zend_Reflection
Introduction
Zend_Reflection Examples
Zend_Reflection Reference
Zend_Registry
Using the Registry
Zend_Rest
Introduction
Zend_Rest_Client
Zend_Rest_Server
Zend_Search_Lucene
Overview
Building Indexes
Searching an Index
Query Language
Query Construction API
Character Set
Extensibility
Interoperating with Java Lucene
Advanced
Best Practices
Zend_Serializer
Introduction
Zend_Serializer_Adapter
Zend_Server
Introduction
Zend_Server_Reflection
Zend_Service
Introduction
Zend_Service_Akismet
Zend_Service_Amazon
Zend_Service_Amazon_Ec2
Zend_Service_Amazon_Ec2: Instances
Zend_Service_Amazon_Ec2: Windows Instances
Zend_Service_Amazon_Ec2: Reserved Instances
Zend_Service_Amazon_Ec2: CloudWatch Monitoring
Zend_Service_Amazon_Ec2: Amazon Machine Images (AMI)
Zend_Service_Amazon_Ec2: Elastic Block Storage (EBS)
Zend_Service_Amazon_Ec2: Elastic IP Addresses
Zend_Service_Amazon_Ec2: Keypairs
Zend_Service_Amazon_Ec2: Regions and Availability Zones
Zend_Service_Amazon_Ec2: Security Groups
Zend_Service_Amazon_S3
Zend_Service_Amazon_Sqs
Zend_Service_Audioscrobbler
Zend_Service_Delicious
Zend_Service_DeveloperGarden
Zend_Service_Flickr
Zend_Service_LiveDocx
Zend_Service_Nirvanix
Zend_Service_ReCaptcha
Zend_Service_Simpy
Zend_Service_SlideShare
Zend_Service_StrikeIron
Zend_Service_StrikeIron: Bundled Services
Zend_Service_StrikeIron: Advanced Uses
Zend_Service_Technorati
Zend_Service_Twitter
Zend_Service_WindowsAzure
Zend_Service_Yahoo
Zend_Session
Introduction
Basic Usage
Advanced Usage
Global Session Management
Zend_Session_SaveHandler_DbTable
Zend_Soap
Zend_Soap_Server
Zend_Soap_Client
WSDL Accessor
AutoDiscovery
Zend_Tag
Introduction
Zend_Tag_Cloud
Zend_Test
Introduction
Zend_Test_PHPUnit
Zend_Test_PHPUnit_Db
Zend_Text
Zend_Text_Figlet
Zend_Text_Table
Zend_TimeSync
Introduction
Working with Zend_TimeSync
Zend_Tool
Using Zend_Tool On The Command Line
Extending Zend_Tool
Zend_Tool_Framework
Introduction
Using the CLI Tool
Architecture
Creating Providers to use with Zend_Tool_Framework
Shipped System Providers
Extending and Configuring Zend_Tool_Framework
Zend_Tool_Project
Introduction
Create A Project
Zend_Tool Project Providers
Zend_Tool_Project Internals
Zend_Translate
Introduction
Adapters for Zend_Translate
Using Translation Adapters
Creating source files
Additional features for translation
Plural notations for Translation
Zend_Uri
Zend_Uri
Zend_Validate
Introduction
Standard Validation Classes
Validator Chains
Writing Validators
Validation Messages
Zend_Version
Getting the Zend Framework Version
Zend_View
Introduction
Controller Scripts
View Scripts
View Helpers
Zend_View_Abstract
Zend_Wildfire
Zend_Wildfire
Zend_XmlRpc
Introduction
Zend_XmlRpc_Client
Zend_XmlRpc_Server
ZendX_Console_Process_Unix
ZendX_Console_Process_Unix
ZendX_JQuery
Introduction
ZendX_JQuery View Helpers
ZendX_JQuery Form Elements and Decorators
Zend Framework Requirements
Introduction
Zend Framework Migration Notes
Zend Framework 1.10
Zend Framework 1.9
Zend Framework 1.8
Zend Framework 1.7
Zend Framework 1.6
Zend Framework 1.5
Zend Framework 1.0
Zend Framework 0.9
Zend Framework 0.8
Zend Framework 0.6
Zend Framework Coding Standard for PHP
Overview
PHP File Formatting
Naming Conventions
Coding Style
Zend Framework Documentation Standard
Overview
Documentation File Formatting
Recommendations
Recommended Project Structure for Zend Framework MVC Applications
Overview
Recommended Project Directory Structure
Module Structure
Rewrite Configuration Guide
Zend Framework Performance Guide
Introduction
Class Loading
Zend_Db Performance
Internationalization (i18n) and Localization (l10n)
View Rendering
Copyright Information