[eluser]kirilisa[/eluser]
Hi folks,
I was just looking at the code in NGSession to see how it works and I came across a couple things that puzzled me/seemed not right.
1) In the function sess_update, it generates a new session id and a new last activity time, and then calls sess_write_database or sess_write_cookie with that information. HOWEVER, in sess_write_database it explicitly does *not* write session id information (it unsets any session_id info passed to it): ergo, the new session id is never saved to the DB, although the new last activity time is, thus (I would think) completely defeating the purpose of session update. And indeed, when I've tested it, I see the new session id generated, but when I check my database, that information is never written there. This seems like a pretty bad bug to me.
2) In function sess_read, when it is looking up the session data from the database (based on the session id it got from the cookie) the SQL statement has the following WHERE clauses:
Code:
// database mode - no need to check if all fields are required - just get them all
if ($this->use_database == TRUE)
{
$this->CI->db->where('session_id', $this->session_id);
$this->CI->db->where('ip_address', $this->CI->input->ip_address());
$this->CI->db->where('user_agent', trim(substr($this->CI->input->user_agent(), 0, 50)));
Now this is *before* it checks to see if you have indeed set sess_match_ip and sess_match_useragent to be TRUE, i.e. it seems to me that even if you didn't want Useragent and IP matching to happen, they are still happening? What's odd is that farther down in function sess_read it does do a check on sess_match_ip and sess_match_useragent - using the same values as it used in the WHERE clause.
Code:
// Does the IP Match?
if ($this->CI->config->item('sess_match_ip') == TRUE AND $session['ip_address'] != $this->CI->input->ip_address())
{
$this->sess_destroy();
return FALSE;
}
// Does the User Agent Match?
if ($this->CI->config->item('sess_match_useragent') == TRUE AND trim($session['user_agent']) != trim(substr($this->CI->input->user_agent(), 0, 50)))
{
$this->sess_destroy();
return FALSE;
}
This is a redundancy, is it not? These if statements will never return TRUE because the WHERE clause makes it impossible that they'd be different, no? Am I missing something? I can't really test it, but it seems to me that given the WHERE clause, retrieving the session data will always fail if your Useragent or IP have changed, whether you set the config to be rigorous in that way or not.
Please correct me if I am wrong!
Thanks!
