session()->stop() not destroying data |
READ:
CodeIgniter 4 User Guide -> Library Reference -> Session Library -> Destroying a Session What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
(05-06-2023, 09:42 PM)InsiteFX Wrote: READ: What makes you think I haven't been reading and re-reading that already? Another pointer to the documentation already in discussion doesn't really add any value. Quote:To clear the current session (for example, during a logout), you may simply use either PHP’s session_destroy() function Nope! Quote:You may also use the stop() method to completely kill the session by removing the old session ID, destroying all data, and destroying the cookie that contained the session ID Nope! READ: session()->stop() not destroying data
From php.net it looks like the Expire date time format has been changed in php 8.2, not sure if that is
the problem tho. Looking at the code it is passing a 1 in the expire field, this should be minus - from the current time to stop and destroy cookies. What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
(05-06-2023, 09:56 PM)Crenel Wrote:Quote:To clear the current session (for example, during a logout), you may simply use either PHP’s session_destroy() function This part was due to my error. The session_destroy() function provided by PHP does work. However, $session->stop() does not. I upgraded to CI 4.3.4 just to make sure this is still relevant. This is on a system still using PHP 7.4. It looks like this may be a long-term problem. There's an old Github issue about this. That issue was closed with the claim that "it's all working as it should" (with data still present after stop()) despite a prior statement from the same person that the data "shouldn't be" still present.
of course this is a bug session does not work
$session = session(); $session->stop(); Codeigniter First, Codeigniter Then You!!
yekrinaDigitals
It seems stop() does not destroy the session.
Create an issue on GitHub.
Is there no urgent way to address major security holes in CodeIgniter? I looked for one, but couldn't find anything. How would somebody responsibly report a newly found major flaw, rather than telling the world before it can be fixed?
Obviously "newly found" does not apply to this problem, but... good grief, SOMEHOW this needs to be escalated and fixed by those who have the knowledge and time to do that. If nobody can address gaping security holes in CodeIgniter, please tell me now so that I can immediately drop all use of it. That this major security flaw may have been allowed to exist since 2017 without any serious attention severely damages CI4 credibility. This makes me wonder if I need to immediately abandon CodeIgniter as a lost ship and find something else to build on. And you can think "fine, go, we don't need you" but ... this is insane. Fix this inexcusable security hole for remaining CodeIgniter developers who don't even know it exists! How many sites out there - and their users who think they're logging out when, in fact, they're staying logged in for whoever uses that computer next - are vulnerable due to this flaw? I'm glad I didn't put any CI4 code into production. Yikes, what a mess. And what a harsh demonstration of needing to thoroughly test all functionality, including that which is provided by libraries and frameworks.
The main repo has information about report vulnerabilities.
I mentioned it in the repo yesterday, but it looks like the error was in the documentation. That's completely my fault, as I originally ported the code and user guide from v3 to v4 and didn't understand the session library enough at that time. AFAIK there has only been one time this was brought to our attention prior to you reporting it recently. I'm guess I didn't go and check the user guide after verifying there was not a bug in the code on that initial report. The intent of the stop() method, as I understand it, was simply to close the session out, not destroy the session, freeing things up for when under heavy traffic. We will definitely update the user guide and release another security disclosure about it when we've resolved it. We would have done so earlier if we had realized the error.
If you navigate to GitHub main repo, you can easily find the info about Reporting a security vulnerability.
https://github.com/codeigniter4/CodeIgniter4/issues and click "New issue" button. https://github.com/codeigniter4/CodeIgniter4/security and click "Policy". https://github.com/codeigniter4/CodeIgniter4 and click "SECURITY.md" file.
Why not just use session()->destroy() - is it not really destroying the session ?
CodeIgniter Wizard (CRUD code generator for Mac) instantly scaffolds Bootstrap-based web applications with an administrative interface (admin templates include Bootstrap5) |
Welcome Guest, Not a member yet? Register Sign In |