When we were finalizing features for Expressive 3, we had a number of users testing using asynchronous PHP web servers. As a result, we made a number of changes in the last few iterations to ensure that Expressive will work well under these paradigms.

Specifically, we made changes to how response prototypes are injected into services.

Response prototypes?

What's the problem?

In an async system, one advantage is that you can bootstrap the application once, and then respond to requests until the server is shutdown.

However, this can become problematic with services that compose a response prototype in order to produce a response (e.g., authentication middleware that may need to produce an "unauthenticated" response; middleware that will produce a "not found" response; middleware that will produce a "method not allowed" response; etc.). We have standardized on providing response prototypes via dependency injection, using a service named after the interface they implement: Psr\Http\Message\ResponseInterface.

If a particular service accepts a response instance that's injected during initial service creation, that same instance will be used for any subsequent requests that require it. And that's where the issue comes in.

When running PHP under traditional conditions — php-fpm, the Apache SAPI, etc. — all requests are isolated; the environment is both created and torn down for each and every request. As such, passing an instance is perfectly safe; there's very little chance, if any, that any other service will be working with the same instance.

With an async server, however, the same instance will be used on each and every request. Generally, manipulations of PSR-7 message instances will create new instances, as the interfaces they implement are specified as immutable. Unfortunately, due to technical limitations of the PHP language, we were unable to make the body of response messages immutable. This means that if one process writes to that body, then a subsequent process — or even those executing in parallel! — will receive the same changes. This can lead to, in the best case scenario, duplicated content, and, in the worst, provide incorrect content or perform information leaking!

To combat these situations, we modified the Psr\Http\Message\ResponseInterface service we register with the dependency injection container: it now returns not an instance of the interface, but a factory capable of producing an instance. Services should compose this factory, and then call on it each time they need to produce a response. This fixes the async problem, as it ensures a new instance is used each time, instead of the same instance.

(Additionally, this change helps us prepare for the upcoming PSR-17, which describes factories for PSR-7 artifacts; this solution will be compatible with that specification once complete.)

Why async?

If asynchronous systems operate so differently, why bother?

There's many reasons, but the one that generally gets the attention of developers is performance.

We performed benchmarks of Expressive 2 and Expressive 3 under both Apache and nginx, and found version 3 received around a 10% improvement.

We then tested using Swoole. Swoole is a PHP extension that provides built-in async, multi-threaded input/output (I/O) modules; it's essentially the I/O aspects of node.js — which allow you to create network servers and perform database and filesystem operations — but for PHP.

A contributor, Westin Shafer, has written a module for Expressive 3 that provides an application wrapper for Swoole that is exposed via a CLI command. We ran our same benchmarks against this, and the results were astonishing: applications ran consistently 4 times faster under this asynchronous framework, and used fewer resources!

While performance is a great reason to explore async, there are other reasons as well. For instance, if you do not need the return value of an I/O call (e.g., a database transaction or cache operation), you can fire it off asynchronously, and finish out the response without waiting for it. This can lead to reduced waiting times for clients, further improving your performance.

We have had fun testing Swoole, and think it has tremendous possibilities when it comes to creating microservices in PHP. The combination of Expressive and Swoole is remarkably simple to setup and run, making it a killer combination!

Notes on setting up Swoole

The wshafer/swoole-expressive package requires a version 2 release of the Swoole extension.

However, there's a slight bug in the PECL installer whereby it picks up the most recent release as the "latest", even if a version with greater stability exists. As of the time of writing, version 1.10.2 of Swoole was released after version 2.1.1, causing it to be installed instead of the more 2.X version.

You can force installation of a version by appending the version you want when invoking the pecl command:

$ pecl install swoole-2.1.1

The version must be fully qualified for it to install correctly; no partials (such as swoole-2 or swoole-2.1 will work.


Yesterday, we tagged and released Expressive 3!

Expressive 3 provides a middleware microframework.

Create a new Expressive application using Composer:

$ composer create-project zendframework/zend-expressive-skeleton

The installer will prompt you for your choice of:

  • Initial application architecture (minimal, flat, modular)
  • Which dependency injection container you would like to use.
  • Which routing library you would like to use.
  • Which templating library you would like to use, if any.
  • Which error handling library you would like to use, if any.

From there, it creates a new project for you, and allows you to get started developing immediately.

You can read more in our quick start, and may want to check out our command line tooling to see what we provide to make development even faster for you!

What are the features?

Expressive 3 embraces modern PHP, and requires PHP 7.1 or higher. Strong type-hinting, including return type hints, make both our job and your job easier and more predictable. The ability to use all modern PHP features helps us deliver a solid base for your application.

Expressive 3 provides full support for the PSR-15 (Middleware and Request Handlers) standard. We believe strongly in supporting standards, to the extent that this release also drops direct support for the "double-pass" middleware style we have supported since version 1.0

Expressive 3 massively refactors its internals as well. In fact, the majority of the code in the zend-expressive package was removed, moved to other existing packages where it had a better semantic affiliation1, or extracted to new packages2. This base package now mainly handles coordinating collaborators and providing a user-friendly interface to creating your application pipeline and routes.3

Expressive 3 provides more command line tooling and tooling improvements in order to make developing your application easier. We added a command for creating factories for existing classes (factory:create).4 The middleware:create command now creates a factory for the middleware generated. We added support for creating request handlers5, complete with factory generation and registration, as well as template support.6

Finally, we recognize that Expressive has changed massively between versions 1 and 3, while simultaneously keeping its primary API stable and unchanged. However, to help users find the information they need for the version they run, we have rolled out versioned documentation, with each version providing only information specific to its release cycle:

The most recent version will always be present in the primary navigation, with links to other versions present as well.

New components!

We have several new components that provide features for Expressive — or any PSR-15 framework you may be using! These include:

We have a number of other packages in the works around authentication, authorization, and data validation that we will be releasing in the coming weeks and months; stay tuned for announcements!

What about upgrading?

We have prepared a migration document that covers new features, removed features, and a list of all changes.

Additionally, we have provided [migration tooling](https://docs.zendframework.com/zend-expressive/v3/reference/migration/#upgrading to aid you in your migration from version 2 to version 3. The tool will not necessarily give you a fully running application, but it will take care of the majority of the changes necessary to bump your application to version 3, including setting up appropriate dependencies, and updating your bootstrapping files to conform to the new skeleton application structure.

If you need assistance, you can find community help:

What's next?

We have been working on a number of API-related modules for Expressive (and any PSR-15 applications) since last summer, with a number of components already completed, and others close to completion. We plan to finalize these in the next few months.

Thank You!

We extend a hearty thank you to everyone who tested the various pre-releases and provided feedback. Additionally, we are singling out the following individuals who provided significant contributions to the Expressive 3 project:

  • Enrico Zimuel provided a ton of feedback and critique during the design phase, and was a driving force behind many of the API usability decisions.

  • Rob Allen did a workshop at SunshinePHP, right as we dropped our initial alpha releases, and provided feedback and testing for much of our tooling additions.

  • Frank Brückner provided ongoing feedback and review of pull requests, primarily around documentation; he is also responsible for a forthcoming rewrite of our documentation theme to make it more responsive and mobile-friendly.

  • Daniel Gimenes provided feedback and ideas as we refactored zend-stratigility; he is the one behind package-level utility functions such as Zend\Stratigility\doublePassMiddleware(), Zend\Stratigility\path(), and more.

  • Witold Wasiczko provided the majority of the rewrite of zend-stratigility for version 3. He can be celebrated for removing over half the code from that repository!

In addition to these people, I want to extend a personal thank you to the following people:

  • Geert Eltink has helped maintain Expressive v2, and particularly the various routers and template engines, making them ready for v3 and testing continually. As a maintainer, I was able to rely on him to take care of merges as we finalized the releases, and was pleasantly surprised to wake up to new releases several times when he fixed critical issues in our alpha and RC releases.

  • Michał Bundyra provided a constant stream of pull requests related to quality assurance (including ongoing work on our phpcs extension!), as well as critical review of incoming patches. He spearheaded important work in the refactoring process, including changes to how we handle response prototypes, and critical fixes in our routers to address issues with how we detect allowed methods for path route matches. We synced each and every single day, often arguing, but always coming to consensus and plowing on.

If you get a chance, reach out to these contributors and thank them for the release!


  • 0: The Expressive ecosystem makes use of many other standards as well, including PSR-7 HTTP Messages, PSR-11 Container, and PSR-13 HTTP Links.

  • 1: As an example, the routing, dispatch, and "implicit methods" middleware were all moved to the zend-expressive-router package, as they each work with the router and route results.

  • 2: Request generation, application dispatch, and response emission were all moved to a new package, zend-httphandlerrunner.

  • 3: These refactors led to a net removal of code across the board, vastly simplifying the internals. This will lead to ease of maintenance, greater stability, and, based on benchmarks we've been performing, 10% better performance and less system resource usage.

  • 4: factory:create uses PHP's Reflection API in order to determine what dependencies are in place in order to generate a factory class; it also registers the class and factory with the container!

  • 5: In previous Expressive versions, we referred to "actions", which were any middleware that returned a response instead of delegating to another layer of the application. PSR-15 calls such classes request handlers. Our tooling provides an action:create command, however, for those who prefer the "action" verbiage.

  • 6: The command creates a template named after the handler created; it uses the root namespace of the class to determine where to put it in the filesystem. Additionally, it alters the generated request handler to render the template into a zend-diactoros HtmlResponse!


This week, we've worked on backports from Expressive 3 to Expressive 2, and, in the process, identified a few issues with how the routing package handles implicit HEAD and OPTIONS requests. As a result, we've just released 3.0.0rc2:

What are "implicit" HEAD and OPTIONS requests?

Implicit HEAD and OPTIONS requests are requests using those methods made to routes that do not explicitly define them; in other words, if no routes for a given path include the HEAD or OPTIONS methods.

We provide a way for router implementations to flag a routing failure as being due to requesting a method that is not explicitly allowed. We also provide middleware for providing responses to HEAD and OPTIONS requests under those conditions, as well as separate middleware for simply reporting that a method is not allowed.

Getting started with RC2

To start a new project based on 3.0.0rc2, use Composer to create a new project:

$ composer create-project "zendframework/zend-expressive-skeleton:3.0.0rc2"

If you want to install to a custom directory name, use the following instead:

$ composer create-project zendframework/zend-expressive-skeleton {your directory} 3.0.0rc2

Once installed, you can follow the same instructions as for RC1.

Updating from RC1

Updating from RC1 requires a few manual steps.

Prior to upgrading, you will need to do the following:

$ composer require "zendframework/zend-diactoros:^1.7.1"

Then run:

$ composer update

Once done, you will need to make one change to your config/pipeline.php.

Locate the following line:


Cut the line, and paste it following the line reading:


This change is necessary due to how each of these middleware inspect the routing result and act on it. If MethodNotAllowedMiddleware operates before the Implicit*Middleware, it will detect a 405 condition. Moving it after those middleware allow them to intercept for HEAD and OPTIONS requests.


We still have a number of tasks to accomplish before the stable 3.0.0 release. In particular:

  • We need to provide full documentation for the v3 release.

  • We will be issuing a 2.2 release with:

  • We need to document migration from v2.2 to v3, and potentially provide automated tooling.

  • We anticipate users may still find bugs in the RC, and will be actively incorporating bugfixes before the stable release.

Our target date is still 15 March 2018, but we need your help! Help by testing the RC2 skeleton and providing your feedback. As we prepare the v2.2 release, help by testing tooling and applying our migration documentation to your applications, and let us know what works and what doesn't. If you find features that are not documented, let us know by filing issues or asking questions in our Slack.

We look forward to the stable release, and the positive impact PSR-15 will have on the PHP ecosystem!


We've been working diligently the past three weeks to finalize API changes and new features for the Expressive 3.0 release, and are pleased to announce immediate availability of our first release candidate, 3.0.0rc1!

Why RC and not beta?

Why the jump from alpha to release candidate? Most of our planned features also contained API changes, whether these were namespace or class name changes, signature changes due to adopting type hints, or wholesale refactors. As a result, we held an extended alpha release cycle so that we could continue making API changes as we worked on new features. In the last three weeks, we've continued to release new alpha versions of components, which users were picking up as they updated; surprisingly, the majority of these continued to work due to efforts at backwards compatibility that we made along the way.

We feel at this point that we've identified and implemented all desired changes both in terms of API as well as features, and announced a feature freeze yesterday. This puts us in a status more analogous to release candidates than beta (where features could still be added).

In this post, we'll cover:

Getting started with RC1

To start a new project based on 3.0.0rc1, use Composer to create a new project:

$ composer create-project "zendframework/zend-expressive-skeleton:3.0.0rc1"

If you want to install to a custom directory name, use the following instead:

$ composer create-project zendframework/zend-expressive-skeleton {your directory} 3.0.0rc1

The installer will prompt you for a number of things:

  • What style install (minimal, flat, or modular).
  • Which DI container to use.
  • Which router to use.
  • Which template engine to use.
  • Which error handler to use.

We recommend the defaults, except in the case of a template engine; in that case, choose the one you're most familiar with.

Once the installer has gathered its information, it will begin installing dependencies, enable development mode, and then let you know it's done!

You can create your first request handler to handle an incoming request using our tooling:

$ composer expressive handler:create "App\Handler\HelloWorldHandler"


Run the following command to find out what other commands we expose:

$ composer expressive help

You can also get help on individual commands:

$ composer expressive help handler:create

This will create a new class and tell you where in the filesystem you'll find it; it will also create a factory and tell you about that. If you have enabled a template engine, it will also create a template file and tell you where it is.

To route to it, edit the file config/routes.php and add the following line within the callback it defines:

    $app->get('/hello/world', App\Handler\HelloWorldHandler::class);

Next, fire up the built-in web server:

$ composer serve

and navigate to http://localhost:8080/hello/world to see your handiwork!

You can also create middleware to add to your application pipeline, or within route-specific pipelines. From here, you have the basic building blocks and application structure to get started!

Migrating from alpha3 to rc1

While a ton has changed between the 3.0.0alpha3 release and today, most applications built on alpha3 should be able to continue working as they were before, due to a number of backwards compatibility efforts we put into place to aid migration both for alpha users, as well as v2 users.

However, we recommend making the following changes to your application as well, to ensure it follows the structure that will be used in the final stable release.


Whenever you see a constraint with the format ^X.Y.ZalphaW || ^X.Y, remove the || ^X.Y part of the constraint. This ensures that a previous alpha version cannot be installed if you use the --prefer-lowest flag when running composer update. More stable versions will still be installed when they become available.


Ensure the following configuration providers are present:


Most likely, you will have been prompted to install these already anyways, but double-check to be sure.


alpha3 refered to the following classes via import statements; they should be updated per the following table:

alpha3 reference rc1 reference
Zend\Expressive\Middleware\DispatchMiddleware Zend\Expressive\Router\Middleware\DispatchMiddleware
Zend\Expressive\Middleware\ImplicitHeadMiddleware Zend\Expressive\Router\Middleware\ImplicitHeadMiddleware
Zend\Expressive\Middleware\ImplicitOptionsMiddleware Zend\Expressive\Router\Middleware\ImplicitOptionsMiddleware
Zend\Expressive\Middleware\NotFoundMiddleware Zend\Expressive\Handler\NotFoundHandler
Zend\Expressive\Middleware\RouteMiddleware Zend\Expressive\Router\Middleware\PathBasedRoutingMiddleware

Also add the following import statement:

use Zend\Expressive\Router\Middleware\MethodNotAllowedMiddleware;

Change the line reading:




Change the line reading:




Changes between alpha3 and rc1

A number of substantial changes were released within the core Expressive packages. We'll detail them package-by-package, providing cumulative changes (vs. release-by-release changes), with general changes affecting all packages listed first.

General changes

Potentially the most far-reaching change was a decision to no longer compose response prototypes in classes that need to produce a response, but rather response factories. All classes that previously accepted a Psr\Http\Message\ResponseInterface instance (with the exception of Zend\Stratigility\Middleware\DoublePassMiddleware) now accept a PHP callable capable of producing a ResponseInterface instance. The simplest form, using zend-diactoros, would look like the following:

function () {
    return new Response();

We made this change for a variety of reasons.

First, not all containers allow marking an instance as non-shared. This meant that a ResponseInterface service would return the same instance each time. While this is generally fine, as the various with*() methods produce new instances, it falls apart when you write to the response body, as the body is the one part of a response that is mutable. (We often addressed this fact by also composing a stream factory, for producing an empty body stream to use with a response.) While we could solve this problem by indicating the ResponseInterface service was non-shared, this would not work on all containers, and led to convoluted solutions such as using "virtual services" to refer to discrete instances.

Second, an upcoming specification from PHP-FIG will largely address this. The proposed PSR-17 defines a number of interfaces describing factories for PSR-7 HTTP messages.

By changing our classes to compose a callable factory, we accomplish several things:

  • We can now share the ResponseInterface service safely, and re-use it in any service that needs to produce a response. Since the factory will always return a new response instance, sharing the factory for the ResponseInterface service is safe.

  • When PSR-17 is available, we will be able to decorate its response factory via a closure and continue to use it. Expressive applications will be immediately PSR-17 compatible.

Solving type-safety issues

The one problem with passing a PHP callable for the factory is that we have no guarantees that it actually returns a PSR-7 ResponseInterface!

To solve this, each class that composes a response factory re-assigns it as follows:

$this->responseFactory = function () use ($responseFactory) : ResponseInterface {
    return $responseFactory();

This approach ensures that a TypeError is raised if the factory returns any other type!


Stratigility received the following changes since the Expressive alpha3 release.

  • The Zend\Stratigility\Middleware\ErrorHandler and NotFoundHandler classes were updated to accept response factories instead of prototypes, as outlined in the previous section.

  • All middleware and handlers, as well as the Next implementation, were marked final.


zend-expressive-router underwent a massive rewrite. The rewrite can be characterized as two major changes: routes and route results are now middleware, and all middleware from zend-expressive other than the LazyLoadingMiddleware was moved to this package.

One general change was made: the package now ships a ConfigProvider class and exposes it to zend-component-installer. This allows it to ship factories for middleware it exposes and ensure that middleware can be used immediately within Expressive applications.

Routes and RouteResults

Zend\Expressive\Router\Route now implements the PSR-15 MiddlewareInterface. Its process() method proxies to the middleware passed to its constructor.

Zend\Expressive\Router\RouteResult also now implements MiddlewareInterface. In the case of a successful result, its process() method will proxy to the route matched. In the case of a failed match, the method instead acts as a no-op, proxying directly to the handler argument. Due to these changes, we felt we could remove the getMatchedMiddleware() method; the middleware is still accessible via the composed Route class, and, generally speaking, you should not need direct access to it.

These changes greatly simplify the DispatchMiddleware, as it no longer needs to check if a successful match occurred, and can instead process the route result directly.

Additionally, the RouteMiddleware::process() logic was simplified, as it no longer needs to conditionally inject a RouteResult as a request attribute; it does it regardless of the result of matching.


All previously provided middleware (RouteMiddleware, PathBasedRoutingMiddleware, and DispatchMiddleware) were moved to the Zend\Expressive\Router\Middleware namespace.

Additionally, we moved the following middleware from zend-expressive into this package:

zend-expressive middleware class zend-expressive-router middleware class
Zend\Expressive\Middleware\ImplicitHeadMiddleware Zend\Expressive\Router\Middleware\ImplicitHeadMiddleware
Zend\Expressive\Middleware\ImplicitOptionsMiddleware Zend\Expressive\Router\Middleware\ImplicitOptionsMiddleware

As detailed in the General changes section, each was modified to compose a response factory instead of a prototype.

These middleware were imported into zend-expressive-router as they are closely related to routing:

  • ImplicitHeadMiddleware introspects a RouteResult in order to return a response if a HEAD request was made and other conditions are met.

  • ImplicitOptionsMiddleware introspects a RouteResult in order to return a response if an OPTIONS request was made and other conditions are met.

We also refactored the RouteMiddleware (and, by extension, the PathBasedRoutingMiddleware) in order to extract the functionality for indicating a 405 Method Not Allowed response. This functionality is now shipped in a new class, Zend\Expressive\Router\Middleware\MethodNotAllowedMiddleware, which should be piped immediately following the RouteMiddleware or PathBasedRoutingMiddleware. This solves a problem several users have reported: we previously had no ability to modify how a 405 response is returned. You can now pipe alternative middleware for this feature if you desire using templates, Problem Details, or other formats.


The zend-expressive package also had a large number of changes. The majority were related to exporting functionality to more relevant packages; other changes were made to provide backwards compatibility with previous alpha releases, as well as v2 releases.

API/Behavior changes.

  • Zend\Expressive\Container\ApplicationConfigInjectionDelegator now raises an exception if the $callback argument produces an instance of anything other than a Zend\Expressive\Application instance. Previously, it would return it immediately. Now, it raises an exception in order to detail to the user what changes they need to make to their application.

  • The exceptions Zend\Expressive\Exception\InvalidMiddlewareException and MissingDependencyException were updated to implement the PSR-11 ContainerExceptionInterface.

New classes

  • Zend\Expressive\Response\ServerRequestErrorResponseGenerator is an invokable class capable of generating a response from a Throwable as provided by Zend\HttpHandlerRunner\RequestHandlerRunner. The class Zend\Expressive\Container\ServerRequestErrorResponseGeneratorFactory was updated to create and return an instance of this class.

  • Zend\Expressive\Response\ErrorResponseGeneratorTrait contains the bulk of the logic for generating an error response used both by the above class, as well as the existing Zend\Expressive\Middleware\ErrorResponseGenerator.

New factories

The package provides two new factories:

  • Zend\Expressive\Container\ResponseFactoryFactory will return a PHP callable capable of producing a PSR-7 ResponseInterface. By default, the class provides a closure around instantiation of a zend-diactoros Response instance. The package maps it to the service Psr\Http\Message\ResponseInterface.

  • Zend\Expressive\Container\StreamFactoryFactory will return a PHP callable capable of producing a PSR-7 StreamInterface. By default, the class provides a closure around instantiation of a zend-diactoros Stream instance backed by a writable php://temp resource. The package maps it to the service Psr\Http\Message\StreamInterface.

Middleware removals

The following middleware were removed; in all cases, they were added to the zend-expressive-router package:

  • Zend\Expressive\Middleware\ImplicitHeadMiddleware
  • Zend\Expressive\Middleware\ImplicitOptionsMiddleware

The class Zend\Expressive\Middleware\NotFoundMiddleware was renamed to Zend\Expressive\Handler\NotFoundHandler, and now implements the PSR-15 RequestHandlerInterface (instead of MiddlewareInterface). The class now also composes a response factory instead of a response prototype. (Its related factory does this for you automatically.)

Factory removals

The following factories were removed, as they are either unnecessary, or provided by other packages:

  • Zend\Expressive\Container\RouteMiddlewareFactory (now provided in zend-expressive-router)
  • Zend\Expressive\Container\DispatchMiddlewareFactory (now provided in zend-expressive-router)
  • Zend\Expressive\Container\ImplicitHeadMiddlewareFactory (now provided in zend-expressive-router)
  • Zend\Expressive\Container\ImplicitOptionsMiddlewareFactory (now provided in zend-expressive-router)


We spent a fair amount of time on zend-expressive-tooling to provide both migration tools as well as tools to make you more productive during development. In particular, we added the following:

  • migrate:interop-middleware will migrate middleware implementing http-interop interfaces to PSR-15. (This was in previous releases, but not highlighted before!)

  • migrate:middleware-to-request-handler will scan a directory (your src/ tree by default) for middleware. When it detects middleware that does not call on its handler argument, it converts it to a request handler.

  • action:create is an alias to the handler:create detailed in the previous post on alpha3, and exposes the same set of functionality for creating a PSR-15 request handler. Some developers prefer the "Action" verbiage, and requested this feature.

  • factory:create will generate a factory class file for the given class, using PHP's Reflection API. The generated file will be a sibling to the original class file. The functionality also auto-registers the class and factory in your configuration.

    The middleware:create, handler:create, and action:create commands now all use this functionality to create a factory for the class generated and wire it in your application configuration. (You may disable this capability via a CLI switch.)

Additionally, we added template awareness to the handler:create and action:create commands. By default, if they detect a Zend\Expressive\Template\TemplateRendererInterface service in your container, they will:

  • Generate a template named after the root namespace and newly generated class (minus any Handler, Action, or Middleware suffix).
  • Place a template file in the configured template path for the root namespace, and named after the generated class.
  • Modify the generated class to accept a TemplateRendererInterface instance to its constructor, and render the named template to a zend-diactoros HtmlResponse.

The commands allow you to disable template capabilities via a switch, as well as provide an alternate template namespace, template name, and template file extension.

Ecosystem updates

The skeleton releases cover the core functionality of Expressive: Stratigility, Expressive itself, routing, template engines, and the helpers. However, the Expressive ecosystem includes other functionality as well:

  • zend-expressive-session and its adapters
  • zend-expressive-authentication and its adapters
  • zend-expressive-authorization and its adapters
  • zend-problem-details
  • zend-expressive-hal

We have provided alpha releases of each of these packages to provide the following:

  • PSR-15 support
  • Response factory (vs response prototype) support
  • Compatibility with core alpha and RC releases

As such, if you are using the RC1 skeleton (or have updated your alpha3 skeleton), you will be able to use these packages without issue; installing them will grab these latest alpha versions, which will be compatible with the stable release (and for which their own stable releases will work with the Expressive v3 release).


So, we're done, right?


There's still work that remains. In particular:

  • We plan to version the existing documentation. This will allow us to provide version-specific docs, without confusing users about different usage and declarations.

  • We need to provide full documentation for the v3 release.

  • We will be issuing a 2.2 release with:

    • Deprecations, based on the v3 changes.
    • Backports of select v3 changes in order to aid migration.
  • We need to document migration from v2.2 to v3, and potentially provide automated tooling.

  • We anticipate users will find bugs in the RC, and will be actively incorporating bugfixes before the stable release.

Our target date is still 15 March 2018, but we need your help! Help by testing the RC1 skeleton and providing your feedback. As we prepare the v2.2 release, help by testing tooling and applying our migration documentation to your applications, and let us know what works and what doesn't. If you find features that are not documented, let us know by filing issues or asking questions in our Slack.

We look forward to the stable release, and the positive impact PSR-15 will have on the PHP ecosystem!


  • 2018-03-01: Fixes a syntax error in the instructions for creating a project. Additionally, fixes a grammatical issue in one of the headers.


Today, we pushed the final changes and fixes that culminated in the Expressive Installer and Skeleton 3.0.0alpha3 release!

The alpha releases have a ton of great features; keep reading to find out more!

Alpha 1 and Alpha 2

We released 3.0.0alpha1 on Tuesday, 6 February 2018, and 3.0.0alpha2 on Wednesday, 7 February 2018. While they were usable, there were a few issues we discovered that we felt should be addressed before a public announcement. 3.0.0alpha3 represents a stable, testable release.


Currently, we do not have a completed migration path for 3.0; this is our work in the coming weeks. Additionally, there may yet be changes coming as we get your feedback. As such, we recommend:

  • Install a fresh project.
  • Do not use the alpha release(s) in production!

To create a new project based on 3.0.0alpha3, use Composer:

$ composer create-project "zendframework/zend-expressive-skeleton:3.0.0alpha3"

This will install the skeleton, and then start prompting you for specific components you want to install, including choice of PSR-11 container, choice of router, choice of template engine, and choice of error handler. Generally speaking, we recommend the default values, except in the case of the template engine (which defaults to none; choose the engine you're most comfortable with).

Once your selections are made, the skeleton will install dependencies; when it is complete, you can enter the newly created directory to begin development:

$ cd zend-expressive-skeleton

Alternate directory

You can specify an alternate directory when calling composer create-project; when you do, you can also specify the specific version separate from the root package:

$ composer create-project zendframework/zend-expressive-skeleton expressive 3.0.0alpha3

Creating middleware

Version 3 of Expressive will work with PSR-15 (HTTP server request handlers) middleware and request handlers only. You will be writing these to create your application.

Other supported types

Expressive 3 also supports other types of middleware definitions, though they are not recommended:

  • Callable middleware using the same signature as PSR-15. These can be piped and routed to directly.
  • Callable double-pass middleware; these must be decorated using the Zend\Stratigility\doublePassMiddleware() utility class — which also requires a PSR-7 response prototype.

The skeleton project now ships with zend-expressive-tooling by default, and maps its expressive command as a composer command:

$ composer expressive help

To create your first middleware:

$ composer expressive middleware:create "App\XClacksOverheadMiddleware"

This will create the class App\XClacksOverheadMiddleware, and tell you where it has been created. You can then edit it:

namespace App;

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;

class XClacksOverheadMiddleware implements MiddlewareInterface
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
        $response = $handler->handle($request);
        return $response->withHeader('X-ClacksOverhead', 'GNU Terry Pratchett');

Once your middleware is created, register it in the container as an invokable, via the config/autoload/dependencies.global.php file:

'dependencies' => [
    'invokables' => [
        App\XClacksOverheadMiddleware::class => App\XClacksOverheadMiddleware::class,

Finally, register it in your config/pipeline.php file:

// likely an early statement, before routing

You've just created your first middleware!

Creating handlers

PSR-15 defines two interfaces. In the previous section, we demonstrated implementing the MiddlewareInterface. That interface references another, the RequestHandlerInterface.

Internally, we provide one that maintains the middleware pipeline and the state within the pipeline such that calling handle() advances to the next middleware.

However, there's another place handlers are of interest: for routes.

Most often, when you create a route, the class you write to handle the route will generate a response itself, and never need to delegate to another handler. As such, you can write handlers instead!

Like middleware, the tooling provides a command for creating handlers:

$ composer expressive handler:create "App\Handler\HelloWorldHandler"

This will create a RequestHandlerInterface implementation using the given name, and then tell you where on the filesystem it created it.

For this example, we'll assume you're using zend-diactoros (as it is used in the Expressive skeleton by default), and we'll create a handler that generates a Zend\Diactoros\Response\HtmlResponse. Open the file, and edit the contents to look like the following:


namespace App\Handler;

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Zend\Diactoros\Response\HtmlResponse;

class HelloWorldHandler implements RequestHandlerInterface
    public function handle(ServerRequestInterface $request) : ResponseInterface
        return new HtmlResponse('<h1>Hello, world!</h1>');

Like the XClacksOverhead middleware, We'll register this with the container as an invokable, via the file config/autoload/dependencies.global.php:

'dependencies' => [
    'invokables' => [
        App\Handler\HelloWorldHandler::class => App\Handler\HelloWorldHandler::class,

Finally, we'll route to it via your config/routes.php file:

$app->get('/hello', App\Handler\HelloWorldHandler::class, 'hello');

You've just created your first handler!

Handlers and route-specific pipelines

If you have used Expressive before, you may recall that the various routing methods allowed middleware and middleware pipelines previously. This is still true! The only difference with version 3 is that we also allow request handlers.

In fact, you can add handlers into your middleware pipelines as well! If we wanted the XClacksOverheadMiddleware to only be in that specific route, we could write it as follows:

$app->get('/hello', [
], 'hello')

The only caveat is that handlers always return a response, which means they should always be the last item in a pipeline.

Test it out!

You can use the following command to fire up the PHP built-in web server:

$ composer serve

The command works on Windows and macOS; for Linux users, it will work as long as you have PHP 7.1.14 and later or 7.2.2 and later installed. For those on earlier versions, use the following:

$ php -S -t public/ public/index.php

Once you have, try hitting your new route: http://localhost:8080/hello

You should get your HTML content as defined above! If you introspect the request in your browser (or using a CLI tool such as cURL or HTTPie), you'll also see a X-Clacks-Overhead header from the middleware you created!


Hitting our first alpha releases is a huge milestone, and the culmination of many months of development. We're very excited about the results. In both Stratigility (our middleware foundation library) and Expressive, we have drastically reduced the amount of code, while providing essentially the same feature set (and, in many cases, expanding that feature set!).

In the coming weeks, we'll be developing a final version 2 minor release, 2.2.0, as well as working on documentation and migration tooling. The main goal of the 2.2 release will be to mark deprecated features, provide forward compatible alternatives, and provide tooling to help you migrate to those alternatives.

We also have a few planned features for Expressive 3 to complete. We're working on changes to the zend-component-installer to allow whitelisting packages with configuration providers, so that users will not need to be prompted during initial installation to inject configuration for packages we already know about. We also plan to develop tooling for creating and registering factories based on a given class, and updating the handler:create and middleware:create factories to generate and register factories as well. Also, recently we released version 3 of the zend-di package, and we're considering integrating it by default when zend-servicemanager is configured, to provide auto-wiring of dependencies.

This may sound like quite a bit, but much of it is already in progress, and our plan is to have a stable release by no later than 15 March 2018.

In the meantime: install and test 3.0.0alpha3! Kick its tires, and let us know what works, and, more importantly, what doesn't work, so we can provide you a stable, exciting 3.0.0 release!


Last week, the PSR-15 working group voted to start its review phase. PSR-15 seeks to standardize server-side request handlers and middleware, and both Stratigility and Expressive have been implementing draft specifications since their version 2 releases. Entering the review phase is an important moment: it means that the working group feels the specification is stable and ready for adoption. If, after the review period is over, no major changes are required, the specification can be presented to the PHP-FIG core committed for a final acceptance vote, at which point it will be frozen and ready for mass adoption.

Our plan is to have Stratigility and Expressive follow the new specification in its final form. To that end, we have been executing on a plan to prepare all our projects that work with PSR-15 to adopt the latest round of changes.

That work is ready today!

What has changed in PSR-15?

The latest round of changes to the specification prior to entering the review period were as follows:

  • The namespace of the draft specification was changed from Interop\Http\ServerMiddleware to Interop\Http\Server. These will therefor become Psr\Http\Server once the specification is accepted.

  • The DelegateInterface was renamed to RequestHandlerInterface, and the method it defines renamed to handle().

  • The MiddlewareInterface's second argument to process() was updated to typehint against RequestHandlerInterface.

  • The package shipping the interface was split into two, http-interop/http-server-handler and http-interop/http-server-middleware; these will become psr/http-server-handler and psr/http-server-middleware, respectively, once the package is accepted. The http-server-middleware packages depend on the http-server-handler packages.

These changes, of course, are not backwards compatible, and our attempts to write a polyfill library were ultimately unsuccessful. As a result, we decided to bump the major version of all libraries currently depending on the draft specification.

What we have done

Our approach in updating the various packages was as follows:

  • We created a new release branch named after the next major release. For instance, if a library is currently issuing v2 releases, we created a release-3.0.0 branch.
  • We updated the branch aliases defined in the composer.json for the package as follows, on all branches:
    • The master branch points to the current minor release. As an example, for a package with a current stable 2.3.1 version, the branch alias became "dev-master": "2.3.x-dev".
    • If a development branch already exists, we updated similarly to the master branch. For the above example, the branch alias would read "dev-develop": "2.4.x-dev".
    • The new release branch is then mapped to the upcoming major version: `"dev-release-3.0.0": "3.0.x-dev".
  • On the release branches, we updated dependencies as follows:
    • PHP dependencies became simply ^7.1 (per our decision posted in June).
    • References to http-interop/http-middleware packages were changed to "http-interop/http-server-middleware": "^1.0.1".
    • References to packages that have corresponding release branches were updated to have their constraints point to the appropriate development release branch. As an example, "zendframework/zend-expressive-router": "^3.0.0-dev".

These changes ensure users can install the new development versions of packages by feeding an appropriate development constraint.

You'll note that we bumped the minimum supported PHP version in these packages as well. Because we were doing that, we also decided to make use of PHP 7.1 features. In particular:

  • Scalar and return type hints.
  • Nullable and void types.
  • Null coalesce.
  • strict_types where it simplifies validation of scalars (which turns out to be almost everywhere).

For packages that define interfaces, this meant that we also needed corresponding major version bumps in packages that implement those interfaces. This affected the router and template implementations in particular.

If you want a complete list of what was updated, you can visit the burndown list in the forums.

How YOU can test

This is all very nice and technical, but how can YOU test out the new versions?

Install the development version of the Expressive skeleton!

$ composer create-project "zendframework/zend-expressive-skeleton:3.0.x-dev" expressive-3.0-dev

This will create the skeleton project, with your selected functionality, in a directory named expressive-3.0-dev. From there, you can start developing!

When you do, be aware of the following:

  • Middleware must now implement Interop\Http\Server\MiddlewareInterface:

    namespace YourModule;
    use Interop\Http\Server\MiddlewareInterface;
    use Interop\Http\Server\RequestHandlerInterface;
    use Psr\Http\Message\ResponseInterface;
    use Psr\Http\Message\RequestHandlerInterface;
    class YourMiddleware implements MiddlewareInterface
        public function process(
            ServerRequestInterface $request,
            RequestHandlerInterface $handler
        ) : ResponseInterface {

    Note: vendor/bin/expressive middleware:create will create these correctly for you with its 1.0.0-dev release!

  • If you want to delegate handling to the next middleware, you will now use the $handler, and call its handle() method:

    $response = $handler->handle($request);
  • If you want to use one of the optional Expressive packages, such as zend-expressive-session, you will need to require it using a development constraint. For instance:

    $ composer require zendframework/zend-expressive-session:^1.0.0-dev

    Note the use of the semantic pin (^), as well as the -dev suffix; both are necessary for composer to identify the development release.

Regarding the last point, the following is a list of all packages with development release branches, along with the corresponding version you should use when requiring them while testing:

Package Version
zend-expressive ^3.0.0-dev
zend-expressive-aurarouter ^3.0.0-dev
zend-expressive-authentication ^1.0.0-dev
zend-expressive-authentication-oauth2 ^1.0.0-dev
zend-expressive-authorization ^1.0.0-dev
zend-expressive-csrf ^1.0.0-dev
zend-expressive-fastroute ^3.0.0-dev
zend-expressive-flash ^1.0.0-dev
zend-expressive-helpers ^5.0.0-dev
zend-expressive-plastesrenderer ^2.0.0-dev
zend-expressive-router ^3.0.0-dev
zend-expressive-session ^1.0.0-dev
zend-expressive-skeleton ^3.0.0-dev
zend-expressive-template ^2.0.0-dev
zend-expressive-tooling ^1.0.0-dev
zend-expressive-twigrenderer ^2.0.0-dev
zend-expressive-zendrouter ^3.0.0-dev
zend-expressive-zendviewrenderer ^2.0.0-dev
zend-problem-details ^1.0.0-dev
zend-stratigility ^3.0.0-dev

In most cases, unless you are extending classes we provide, your existing code should just work with the new packages once you update your middleware to the new signatures.

Updating an existing application

Updating an existing application requires a bit more effort. You will need to manually edit your composer.json to update the constraints for each of the above packages to match what is in the table. Additionally, if you see references to either http-interop/http-middleware or webimpress/http-middleware-compatibility, you will need to remove those. You will also need to add the following two lines to the file:

"minimum-stability": "dev",
"prefer-stable": true

Once done with the composer.json changes, run composer update to pick up the changes. If you encounter any issues, run rm -Rf composer.lock vendor, and then execute composer install.

Finally, you will need to update any middleware in your application to implement the new interface. Ensure you have zend-expressive-tooling installed, and install it if you do not, using the ^1.0.0-dev constraint (composer require --dev "zendframework/zend-expressive-tooling:^1.0.0-dev"). Once you do, run:

$ ./vendor/bin/expressive migrate:interop-middleware

What's next?

If you run into things that do not work, report them on the appropriate issue tracker.

Once PSR-15 is finalized, our plan is to go through and update each package depending directly on it to point to the new PHP-FIG sponsored packages, and update import statements throughout our code appropriately. We'll then likely issue a beta release for folks to test against one last time.

In the meantime, we'll also be looking at other changes we may want to make. New major version breaks should happen only rarely going forward, and we may want to make a few more changes to help improve quality, simplify maintenance, and increase usability before we make the final release. As we do, we'll update you here on the blog.

Want some ebooks on ZF and Expressive?

We collated our posts from the first half of 2017 into two ebooks:

  • Zend Framework 3 Cookbook, which covers usage of a couple dozen ZF components, within zend-mvc and Expressive applications, as well as standalone.
  • Expressive Cookbook, which covers features of Expressive and middleware in general.

You can get them free with registration on the zend.com website.


Today, we released zend-db 2.9.0! This is our first new feature release in over 18 months, and contains 7 bug fixes, 6 new features, numerous unit test additions, and many documentation improvements.

zend-db is an important component of many PHP projects, and we know that its support is crucial for many people. As such, we allocated a number of weeks to triaging the various open issues and patches (more than 50) to ensure we would provide a stable release.

The release contains the following changes:


  • #216 added AFTER support in ALTER TABLE syntax for MySQL.
  • #223 added support for empty values set with the IN predicate.
  • #271 added support for dash characters in MySQL identifiers.
  • #273 added support for implementing an error handler when used with db2_prepare.
  • #275 added support for LIMIT OFFSET for db2.
  • #280 added the version DSN parameter for the pdo_dblib extension.


  • #205 fixes whitespace issues in ORDER BY syntax.
  • #224 fixes how parameters are bound to statements in the PDO adapter. PDO has a restriction on parameter names of [0-9a-zA_Z_]; as such, the driver now hashes the parameter names using md5() in order to ensure compatibility with other drivers.
  • #229 fixes SSL support in the mysqli adapter.
  • #255 fixes an edge case when using ResultSet with array values (versus objects).
  • #261 fixes how the Firebird adapter attempts to retrieve the last generated value so as to prevent exceptions being raised.
  • #276 and #287 provide fixes to enable usage of the component with PHP 7.2.

We also dropped support for PHP 5.5 (EOL last year) and HHVM; zend-db 2.9 and above now only support PHP 5.6 and PHP 7+ releases.

Future of zend-db

We are planning a 3.0 release of zend-db release sometime in 2018. This new major version will contain new features sucha as extended DDL support for different database vendors (currently, most support targets MySQL), and support for SEQUENCE. Additionally, that release will drop support for PHP versions older than 7.1.

If you want to contribute to zend-db, you are more than welcome! For more information, read the Zend Framework contribution guide.

Special thanks

A special thanks to the following zend-db contributors (in no particular order):

We also extend thanks to our community review team for their efforts in making this release of zend-db possible.


When writing middleware-based applications, at some point you will need to emit your response.

PSR-7 defines the various interfaces related to HTTP messages, but does not define how they will be used. Diactoros defines several utility classes for these purposes, including a ServerRequestFactory for generating a ServerRequest instance from the PHP SAPI in use, and a set of emitters, for emitting responses back to the client. In this post, we'll detail the purpose of emitters, the emitters shipped with Diactoros, and some strategies for emitting content to your users.

What is an emitter?

In vanilla PHP applications, you might call one or more of the following functions in order to provide a response to your client:

  • http_response_code() for emitting the HTTP response code to use; this must be called before any output is emitted.
  • header() for emitting response headers. Like http_response_code(), this must be called before any output is emitted. It may be called multiple times, in order to set multiple headers.
  • echo(), printf(), var_dump(), and var_export() will each emit output to the current output buffer, or, if none is present, directly to the client.

One aspect PSR-7 aims to resolve is the ability to generate a response piece-meal, including adding content and headers in whatever order your application requires. To accomplish this, it provides a ResponseInterface with which your application interacts, and which aggregates the response status code, its headers, and all content.

Once you have a complete response, however, you need to emit it.

Diactoros provides emitters to solve this problem. Emitters all implement Zend\Diactoros\Response\EmitterInterface:

namespace Zend\Diactoros\Response;

use Psr\Http\Message\ResponseInterface;

interface EmitterInterface
     * Emit a response.
     * Emits a response, including status line, headers, and the message body,
     * according to the environment.
     * Implementations of this method may be written in such a way as to have
     * side effects, such as usage of header() or pushing output to the
     * output buffer.
     * Implementations MAY raise exceptions if they are unable to emit the
     * response; e.g., if headers have already been sent.
     * @param ResponseInterface $response
    public function emit(ResponseInterface $response);

Diactoros provides two emitter implementations, both geared towards standard PHP SAPI implementations:

  • Zend\Diactoros\Emitter\SapiEmitter
  • Zend\Diactoros\Emitter\SapiStreamEmitter

Internally, they operate very similarly: they emit the response status code, all headers, and the response body content. Prior to doing so, however, they check for the following conditions:

  • Headers have not yet been sent.
  • If any output buffers exist, no content is present.

If either of these conditions is not true, the emitters raise an exception. This is done to ensure that consistent content can be emitted; mixing PSR-7 and global output leads to unexpected and inconsistent results. If you are using middleware, use things like the error log, loggers, etc. if you want to debug, instead of mixing strategies.

Emitting files

As noted above, one of the two emitters is the SapiStreamEmitter. The normal SapiEmitter emits the response body at once via a single echo statement. This works for most general markup and JSON payloads, but when returning files (for example, when providing file downloads via your application), this strategy can quickly exhaust the amount of memory PHP is allowed to consume.

The SapiStreamEmitter is designed to answer the problem of file downloads. It emits a chunk at a time (8192 bytes by default). While this can mean a bit more performance overhead when emitting a large file, as you'll have more method calls, it also leads to reduced memory overhead, as less content is in memory at any given time.

The SapiStreamEmitter has another important feature, however: it allows sending content ranges.

Clients can opt-in to receiving small chunks of a file at a time. While this means more network calls, it can also help prevent corruption of large files by allowing the client to re-try failed requests in order to stitch together the full file. Doing so also allows providing progress status, or even buffering streaming content.

When requesting content ranges, the client will pass a Range header:

Range: bytes=1024-2047

It is up to the server then to detect such a header and return the requested range. Servers indicate that they are doing so by responding with a Content-Range header with the range of bytes being returned and the total number of bytes possible; the response body then only contains those bytes.

Content-Range: bytes=1024-2047/11576

As an example, middleware that allows returning a content range might look like the following:

function (ServerRequestInterface $request, DelegateInterface $delegate) : ResponseInterface
    $stream = new Stream('path/to/download/file', 'r');
    $response = new Response($stream);

    $range = $request->getHeaderLine('range');
    if (empty($range)) {
        return $response;

    $size  = $body->getSize();
    $range = str_replace('=', ' ', $range);
    $range .= '/' . $size;

    return $response->withHeader('Content-Range', $range);

You'll likely want to validate that the range is within the size of the file, too!

The above code emits a Content-Range response header if a Range header is in the request. However, how do we ensure only that range of bytes is emitted?

By using the SapiStreamEmitter! This emitter will detect the Content-Range header and use it to read and emit only the bytes specified by that header; no extra work is necessary!

Mixing and matching emitters

The SapiEmitter is perfect for content generated within your application — HTML, JSON, XML, etc. — as such content is usually of reasonable length, and will not exceed normal memory and resource limits.

The SapiStreamEmitter is ideal for returning file downloads, but can lead to performance overhead when emitting standard application content.

How can you mix and match the two?

Expressive answers this question by providing Zend\Expressive\Emitter\EmitterStack. The class acts as a stack (last in, first out), executing each emitter composed until one indicates it has handled the response.

This class capitalizes on the fact that the return value of EmitterInterface is undefined. Emitters that return a boolean false indicate they were unable to handle the response, allowing the EmitterStack to move to the next emitter in the stack. The first emitter to return a non-false value halts execution.

Both the emitters defined in zend-diactoros return null by default. So, if we want to create a stack that first tries SapiStreamEmitter, and then defaults to SapiEmitter, we could do the following:

use Psr\Http\Message\ResponseInterface;
use Zend\Diactoros\Response\EmitterInterface;
use Zend\Diactoros\Response\SapiEmitter;
use Zend\Diactoros\Response\SapiStreamEmitter;
use Zend\Expressive\Emitter\EmitterStack;

$emitterStack = new EmitterStack();
$emitterStack->push(new SapiEmitter());
$emitterStack->push(new class implements EmitterInterface {
    public function emit(ResponseInterface $response)
        $contentSize = $response->getBody()->getSize();

        if ('' === $response->getHeaderLine('content-range')
            && $contentSize < 8192
        ) {
            return false;

        $emitter = new SapiStreamEmitter();
        return $emitter->emit($response);

The above will execute our anonymous class as the first emitter. If the response has a Content-Range header, or if the size of the content is greater than 8k, it will use the SapiStreamEmitter; otherwise, it returns false, allowing the next emitter in the stack, SapiEmitter, to execute. Since that emitter always returns null, it acts as a default emitter implementation.

In Expressive, if you were to wrap the above in a factory that returns the $emitterStack, and assign that factory to the Zend\Diactoros\Emitter\EmitterInterface service, then the above stack will be used by Zend\Expressive\Application for the purpose of emitting the application response!


Emitters provide you the ability to return the response you have aggregated in your application to the client. They are intended to have side-effects: sending the response code, response headers, and body content. Different emitters can use different strategies when emitting responses, from simply echoing content, to iterating through chunks of content (as the SapiStreamEmitter does). Using Expressive's EmitterStack can provide you with a way to select different emitters for specific response criteria.

For more information:


Every PHP application generates errors, warnings, and notices and throws exceptions. If we do not log this information, we lose a way to identify and solve problems at runtime. Moreover, we may need to log specific actions such as a user login and logout attempts. All such information should be filtered and stored in an efficient way.

PHP offers the function error_log() to send an error message to the defined system logger, and the function set_error_handler() to specify a handler for intercepting warnings, errors, and notices generated by PHP.

These functions can be used to customize error management, but it's up to the developer to write the logic to filter and store the data.

Zend Framework offers a logging component, zend-log; the library can be used as a general purpose logging system. It supports multiple log backends, formatting messages sent to the log, and filtering messages from being logged.

Last but not least, zend-log is compliant with PSR-3, the logger interface standard.


You can install zend-log using the following composer command:

composer require zendframework/zend-log


zend-log can be used to create log entries in different formats using multiple backends. You can also filter the log data from being saved, and process the log event prior to filtering or writing, allowing the ability to substitute, add, remove, or modify the data you log.

Basic usage of zend-log requires both a writer and a logger instance. A writer stores the log entry into a backend, and the logger consumes the writer to perform logging operations.

As an example:

use Zend\Log\Logger;
use Zend\Log\Writer\Stream;

$logger = new Logger;
$writer = new Stream('php://output');

$logger->log(Logger::INFO, 'Informational message');

The above produces the following output:

2017-09-11T15:07:46+02:00 INFO (6): Informational message

The output is a string containing a timestamp, a priority (INFO (6)) and the message (Informational message). The output format can be changed using the setFormatter() method of the writer object ($writer). The default log format, produced by the Simple formatter is as follows:

%timestamp% %priorityName% (%priority%): %message% %extra%

where %extra% is an optional value containing additional information.

For instance, if you wanted to change the format to include only log %message%, you could do the following:

$formatter = new Zend\Log\Formatter\Simple('log %message%' . PHP_EOL);

Log PHP events

zend-log can also be used to log PHP errors and exceptions. You can log PHP errors using the static method Logger::registerErrorHandler($logger) and intercept exceptions using the static method Logger::registerExceptionHandler($logger).

use Zend\Log\Logger;
use Zend\Log\Writer;

$logger = new Logger;
$writer = new Writer\Stream(__DIR__ . '/test.log');

// Log PHP errors

// Log exceptions

Filtering data

As mentioned, we can filter the data to be logged; filtering removes messages that match the filter criteria, preventing them from being logged.

We can use the addFilter() method of the Writer interface to add a specific filter.

For instance, we can filter by priority, accepting only log entries with a priority less than or equal to a specific value:

$filter = new Zend\Log\Filter\Priority(Logger::CRIT);

In the above example, the logger will only store log entries with a priority less than or equal to Logger::CRIT (critical). The priorities are defined by the Zend\Log\Logger class:

const EMERG   = 0;  // Emergency: system is unusable
const ALERT   = 1;  // Alert: action must be taken immediately
const CRIT    = 2;  // Critical: critical conditions
const ERR     = 3;  // Error: error conditions
const WARN    = 4;  // Warning: warning conditions
const NOTICE  = 5;  // Notice: normal but significant condition
const INFO    = 6;  // Informational: informational messages
const DEBUG   = 7;  // Debug: debug messages

As such, only emergency, alerts, or critical entries would be logged.

We can also filter log data based on regular expressions, timestamps, and more. One powerful filter uses a zend-validator ValidatorInterface instance to filter the log; only valid entries would be logged in such cases.

Processing data

If you need to provide additional information to logs in an automated fashion, you can use a Zend\Log\Processer class. A processor is executed before the log data are passed to the writer. The input of a processor is a log event, an array containing all of the information to log; the output is also a log event, but can contain modified or additional values. A processor modifies the log event to prior to sending it to the writer.

You can read about processor adapters offered by zend-log in the documentation.

Multiple backends

One of the cool feature of zend-log is the possibility to write logs using multiple backends. For instance, you can write a log to both a file and a database using the following code:

use Zend\Db\Adapter\Adapter as DbAdapter;
use Zend\Log\Formatter;
use Zend\Log\Writer;
use Zend\Log\Logger;

// Create our adapter
$db = new DbAdapter([
    'driver'   => 'Pdo',
    'dsn'      => 'mysql:dbname=testlog;host=localhost',
    'username' => 'root',
    'password' => 'password'

// Map event data to database columns
$mapping = [
    'timestamp' => 'date',
    'priority'  => 'type',
    'message'   => 'event',

// Create our database log writer
$writerDb = new Writer\Db($db, 'log', $mapping); // log table
$formatter = new Formatter\Base();
$formatter->setDateTimeFormat('Y-m-d H:i:s'); // MySQL DATETIME format

// Create our file log writer
$writerFile = new Writer\Stream(__DIR__ . '/test.log');

// Create our logger and register both writers
$logger = new Logger();
$logger->addWriter($writerDb, 1);
$logger->addWriter($writerFile, 100);

// Log an information message
$logger->info('Informational message');

The database writer requires the credentials to access the table where you will store log information. You can customize the field names for the database table using a $mapping array, containing an associative array mapping log fields to database columns.

The database writer is composed in $writerDb and the file writer in $writerFile. The writers are added to the logger using the addWriter() method with a priority number; higher integer values indicate higher priority (triggered earliest). We chose priority 1 for the database writer, and priority 100 for the file writer; this means the file writer will log first, followed by logging to the database.

Note: we used a special date formatter for the database writer. This is required to translate the log timestamp into the DATETIME format of MySQL.

PSR-3 support

If you need to be compatible with PSR-3, you can use Zend\Log\PsrLoggerAdapter. This logger can be used anywhere a Psr\Log\LoggerInterface is expected.

As an example:

use Psr\Log\LogLevel;
use Zend\Log\Logger;
use Zend\Log\PsrLoggerAdapter;

$zendLogLogger = new Logger;
$psrLogger = new PsrLoggerAdapter($zendLogLogger);

$psrLogger->log(LogLevel::INFO, 'We have a PSR-compatible logger');

To select a PSR-3 backend for writing, we can use the Zend\Log\Writer\Psr class. In order to use it, you need to pass a Psr\Log\LoggerInterface instance to the $psrLogger constructor argument:

$writer = new Zend\Log\Writer\Psr($psrLogger);

zend-log also supports PSR-3 message placeholders via the Zend\Log\Processor\PsrPlaceholder class. To use it, you need to add a PsrPlaceholder instance to a logger, using the addProcess() method. Placeholder names correspond to keys in the "extra" array passed when logging a message:

use Zend\Log\Logger;
use Zend\Log\Processor\PsrPlaceholder;

$logger = new Logger;
$logger->addProcessor(new PsrPlaceholder);

$logger->info('User with email {email} registered', ['email' => 'user@example.org']);

An informational log entry will be stored with the message User with email user@example.org registered.

Logging an MVC application

If you are using a zend-mvc based application, you can use zend-log as module. zend-log provides a Module.php class, which registers Zend\Log as a module in your application.

In particular, the zend-log module provides the following services (under the namespace Zend\Log):

Logger::class         => LoggerServiceFactory::class,
'LogFilterManager'    => FilterPluginManagerFactory::class,
'LogFormatterManager' => FormatterPluginManagerFactory::class,
'LogProcessorManager' => ProcessorPluginManagerFactory::class,
'LogWriterManager'    => WriterPluginManagerFactory::class,

The Logger::class service can be configured using the log config key; the documentation provides configuration examples.

In order to use the Logger service in your MVC stack, grab it from the service container. For instance, you can pass the Logger service in a controller using a factory:

use Zend\Log\Logger;
use Zend\ServiceManager\Factory\FactoryInterface;

class IndexControllerFactory implements FactoryInterface
    public function __invoke(
        ContainerInterface $container,
        array $options = null
    ) {
        return new IndexController(

via the following service configuration for the IndexController:

'controllers' => [
    'factories' => [
        IndexController::class => IndexControllerFactory::class,

Logging a middleware application

You can also integrate zend-log in your middleware applications. If you are using Expressive, add the component's ConfigProvider to your config/config.php file.

Note: if you are using zend-component-installer, you will be prompted to install zend-log's config provider when you install the component via Composer.

Note: This configuration registers the same services provided in the zend-mvc example, above.

To use zend-log in middleware, grab it from the dependency injection container and pass it as a dependency to your middleware:

namespace App\Action;

use Psr\Container\ContainerInterface;
use Zend\Log\Logger;

class HomeActionFactory
    public function __invoke(ContainerInterface $container) : HomeAction
        return new HomeAction(

As an example of logging in middleware:

namespace App\Action;

use Interop\Http\ServerMiddleware\DelegateInterface;
use Interop\Http\ServerMiddleware\MiddlewareInterface as ServerMiddlewareInterface;
use Psr\Http\Message\ServerRequestInterface;
use Zend\Log\Logger;

class HomeAction implements ServerMiddlewareInterface
    private $logger;

    public function __construct(Logger $logger)
        $this->logger = logger;

    public function process(
        ServerRequestInterface $request,
        DelegateInterface $delegate
    ) {
        $this->logger->info(__CLASS__ . ' has been executed');

        // ...

Listening for errors in Expressive

Expressive and Stratigility provide a default error handler middleware implementation, Zend\Stratigility\Middleware\ErrorHandler which listens for PHP errors and exceptions/throwables. By default, it spits out a simple error page when an error occurs, but it also provides the ability to attach listeners, which can then act on the provided error.

Listeners receive the error, the request, and the response that the error handler will be returning. We can use that information to log information!

First, we create an error handler listener that composes a logger, and logs the information:

use Exception;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Throwable;
use Zend\Log\Logger;

class LoggingErrorListener
     * Log message string with placeholders
    const LOG_STRING = '{status} [{method}] {uri}: {error}';

    private $logger;

    public function __construct(Logger $logger)
        $this->logger = $logger;

    public function __invoke(
        ServerRequestInterface $request,
        ResponseInterface $response
    ) {
        $this->logger->error(self::LOG_STRING, [
            'status' => $response->getStatusCode(),
            'method' => $request->getMethod(),
            'uri'    => (string) $request->getUri(),
            'error'  => $error->getMessage(),

The ErrorHandler implementation casts PHP errors to ErrorException instances, which means that $error is always some form of throwable.

We can then write a delegator factory that will register this as a listener on the ErrorHandler:

use LoggingErrorListener;
use Psr\Container\ContainerInterface;
use Zend\Log\Logger;
use Zend\Log\Processor\PsrPlaceholder;
use Zend\Stratigility\Middleware\ErrorHandler;

class LoggingErrorListenerFactory
    public function __invoke(
        ContainerInterface $container,
        callable $callback
    ) : ErrorHandler {
        $logger = $container->get(Logger::class);
        $logger->addProcessor(new PsrPlaceholder());

        $listener = new LoggingErrorListener($logger);
        $errorHandler = $callback();
        return $errorHandler;

And then register the delegator in your configuration:

// In a ConfigProvider, or a config/autoload/*.global.php file:
use LoggingErrorListenerFactory;
use Zend\Stratigility\Middleware\ErrorHandler;

return [
    'dependencies' => [
        'delegators' => [
            ErrorHandler::class => [

At this point, your error handler will now also log errors to your configured writers!


The zend-log component offers a wide set of features, including support for multiple writers, filtering of log data, compatibility with PSR-3, and more.

Hopefully you can use the examples above for consuming zend-log in your standalone, zend-mvc, Expressive, or general middleware applications!

Learn more in the zend-log documentation.


When writing PSR-7 middleware, at some point you'll need to return a response.

Maybe you'll be returning an empty response, indicating something along the lines of successful deletion of a resource. Maybe you need to return some HTML, or JSON, or just plain text. Maybe you need to indicate a redirect.

But here's the problem: a generic response typically has a very generic constructor. Take, for example, Zend\Diactoros\Response:

public function __construct(
    $body = 'php://memory',
    $status = 200,
    array $headers = []

$body in this signature allows either a Psr\Http\Message\StreamInterface instance, a PHP resource, or a string identifying a PHP stream. This means that it's not terribly easy to create even a simple HTML response!

To be fair, there are good reasons for a generic constructor: it allows setting the initial state in such a way that you'll have a fully populated instance immediately. However, the means for doing so, in order to be generic, leads to convoluted code for most consumers.

Fortunately, Diactoros provides a number of convenience implementations to help simplify the most common use cases.


The standard response from an API for a successful deletion is generally a 204 No Content. Sites emitting webhook payloads often expect a 202 Accepted with no content. Many APIs that allow creation of resources will return a 201 Created; these may or may not have content, depending on implementation, with some being empty, but returning a Location header with the URI of the newly created resource.

Clearly, in such cases, if you don't need content, why would you be bothered to create a stream? To answer this, we have Zend\Diactoros\Response\EmptyResponse, with the following constructor:

public function __construct($status = 204, array $headers = [])

So, a DELETE endpoint might return this on success:

return new EmptyResponse();

A webhook endpoint might do this:

return new EmptyResponse(StatusCodeInterface::STATUS_ACCEPTED);

An API that just created a resource might do the following:

return new EmptyResponse(
    ['Location' => $resourceUri]


Redirects are common within web applications. We may want to redirect a user to a login page if they are not currently logged in; we may have changed where some of our content is located, and redirect users requesting the old URIs; etc.

Zend\Diactoros\Response\RedirectResponse provides a simple way to create and return a response indicating an HTTP redirect. The signature is:

public function __construct($uri, $status = 302, array $headers = [])

where $uri may be either a string URI, or a Psr\Http\Message\UriInterface instance. This value will then be used to seed a Location HTTP header.

return new RedirectResponse('/login');

You'll note that the $status defaults to 302. If you want to set a permanent redirect, pass 301 for that argument:

return new RedirectResponse('/archives', 301);

// or, using fig/http-message-util:
return new RedirectResponse('/archives', StatusCodeInterface::STATUS_PERMANENT_REDIRECT);

Sometimes you may want to set an header as well; do that by passing the third argument, an array of headers to provide:

return new RedirectResponse(
    ['X-ORIGINAL_URI' =>  $uri->getPath()]


Sometimes you just want to return some text, whether it's plain text, XML, YAML, etc. When doing that, taking the extra step to create a stream feels like overhead:

$stream = new Stream('php://temp', 'wb+');

To simplify this, we offer Zend\Diactoros\Response\TextResponse, with the following signature:

public function __construct($text, $status = 200, array $headers = [])

By default, it will use a Content-Type of text/plain, which means you'll often need to supply a Content-Type header with this response.

Let's return some plain text:

return new TextResponse('Hello, world!');

Now, let's try returning a Problem Details XML response:

return new TextResponse(
    ['Content-Type' => 'application/problem+xml']

If you have some textual content, this is the response for you.


The most common response from web applications is HTML. If you're returning HTML, even the TextResponse may seem a bit much, as you're forced to provide the Content-Type header. To answer that, we provide Zend\Diactoros\Response\HtmlResponse, which is exactly the same as TextResponse, but with a default Content-Type header specifying text/html; charset=utf-8 instead.

As an example:

return new HtmlResponse($renderer->render($template, $view));


For web APIs, JSON is generally the lingua franca. Within PHP, this generally means passing an array or object to json_encode(), and supplying a Content-Type header of application/json or application/{type}+json, where {type} is a more specific mediatype.

Like text and HTML, you likely don't want to do this manually every time:

$json = json_encode(
$stream = new Stream('php://temp', 'wb+');
$response = new Response(
    ['Content-Type' => 'application/json']

To simplify this, we provide Zend\Diactoros\Response\JsonResponse, with the following constructor signature:

public function __construct(
    $status = 200,
    array $headers = [],
    $encodingOptions = self::DEFAULT_JSON_FLAGS
) {

where $encodingOptions defaults to the flags specified in the previous example.

This means our most common use case now becomes this:

return new JsonResponse($data);

What if we want to return a JSON-formatted Problem Details response?

return new JsonResponse(
    ['Content-Type' => 'application/problem+json']

One common workflow we've seen with JSON responses is that developers often want to manipulate them on the way out through middleware. As an example, they may want to add additional _links elements to HAL responses, or add counts for collections.

Starting in version 1.5.0, we provide a few extra methods on this particular response type:

public function getPayload() : mixed;
public function getEncodingOptions() : int;
public function withPayload(mixed $data) : JsonResponse;
public function withEncodingOptions(int $options) : JsonResponse;

Essentially, what happens is we now store not only the encoded $data internally, but the raw data; this allows you to pull it, manipulate it, and then create a new instance with the updated data. Additionally, we allow specifying a different set of encoding options later; this can be useful, for instance, for adding the JSON_PRETTY_PRINT flag when in development. When the options are changed, the new instance will also re-encode the existing data.

First, let's look at altering the payload on the way out. zend-expressive-hal injects _total_items, _page, and _page_count properties, and you may want to remove the underscore prefix for each of these:

function (ServerRequestInterface $request, DelegateInterface $delegate) : ResponseInterface
    $response = $delegate->process($request);
    if (! $response instanceof JsonResponse) {
        return $response;

    $payload = $response->getPayload();
    if (! isset($payload['_total_items'])) {
        return $response;

    $payload['total_items'] = $payload['_total_items'];

    if (isset($payload['_page'])) {
        $payload['page'] = $payload['_page'];
        $payload['page_count'] = $payload['_page_count'];
        unset($payload['_page'], $payload['_page_count']);

    return $response->withPayload($payload);

Now, let's write middleware that sets the JSON_PRETTY_PRINT option when in development mode:

function (
    ServerRequestInterface $request,
    DelegateInterface $delegate
) : ResponseInterface use ($isDevelopmentMode) {
    $response = $delegate->process($request);

    if (! $isDevelopmentMode || ! $response instanceof JsonResponse) {
        return $response;

    $options = $response->getEncodingOptions();
    return $response->withEncodingOptions($options | JSON_PRETTY_PRINT);

These features can be really powerful when shaping your API!


The goal of PSR-7 is to provide the ability to standardize on interfaces for your HTTP interactions. However, at some point you need to choose an actual implementation, and your choice will often be shaped by the features offered, particularly if they provide convenience in your development process. Our goal with these various custom response implementations is to provide convenience to developers, allowing them to focus on what they need to return, not how to return it.

You can check out more in the Diactoros documentation.