Bind session handling to request lifecycle

With this change, session objects are no longer instantiated
globally, but instead created within a middleware during the
request lifecycle.

In addition, session garbage collection is integrated with
the already existing middleware for this purpose.

src/Http/Middleware/CollectGarbage.php

@@ -15,12 +15,30 @@ use Flarum\Http\AccessToken;
 use Flarum\User\AuthToken;
 use Flarum\User\EmailToken;
 use Flarum\User\PasswordToken;
+use Illuminate\Contracts\Config\Repository as ConfigRepository;
 use Interop\Http\ServerMiddleware\DelegateInterface;
 use Interop\Http\ServerMiddleware\MiddlewareInterface;
 use Psr\Http\Message\ServerRequestInterface as Request;
+use SessionHandlerInterface;
 
 class CollectGarbage implements MiddlewareInterface
 {
+    /**
+     * @var SessionHandlerInterface
+     */
+    protected $sessionHandler;
+
+    /**
+     * @var array
+     */
+    protected $sessionConfig;
+
+    public function __construct(SessionHandlerInterface $handler, ConfigRepository $config)
+    {
+        $this->sessionHandler = $handler;
+        $this->sessionConfig = $config->get('session');
+    }
+
     public function process(Request $request, DelegateInterface $delegate)
     {
         $this->collectGarbageSometimes();
@@ -43,10 +61,17 @@ class CollectGarbage implements MiddlewareInterface
         EmailToken::where('created_at', '<=', $earliestToKeep)->delete();
         PasswordToken::where('created_at', '<=', $earliestToKeep)->delete();
         AuthToken::where('created_at', '<=', $earliestToKeep)->delete();
+
+        $this->sessionHandler->gc($this->getSessionLifetimeInSeconds());
     }
 
     private function hit()
     {
         return mt_rand(1, 100) <= 2;
     }
+
+    private function getSessionLifetimeInSeconds()
+    {
+        return $this->sessionConfig['lifetime'] * 60;
+    }
 }