[SOLVED] - [bug found in session/encryption class] Same session encrypt-key for 2 applications

[eluser]Byrro[/eluser]
Hello,

I´m using more than one application and sharing sessions between them, using the encryption enabled. The problem is: I´d like to use the

Code:

$config['encryption_key'] = "(...)";

from the main application, not the "sub"-applications config files.

My goal is to be able to change the encrypt-key easily in just one file for all applications... I´m trying to do this, but not successfully. When I call the session class, each application search for the encrypt-key in its config file, not the main application config.php. Does someone have a tip to achieve this?

Thank you!!..

[eluser]n0xie[/eluser]
Extend the session class and overwrite the method?

[eluser]Byrro[/eluser]
It´s a good idea, I´ll try that and post here the results later...
Thanks n0kie!

[eluser]Byrro[/eluser]
Looking inside the Session library, I saw that I can set "global" preferences for the entire framework, instead of doing it by the config file.

Just look for the constructor of the session class and set the values on the $params array.

Code:

function CI_Session($params = array())

Just that simple... Thanks for the tip n0kie! Next time I´ll try looking inside the libraries b4 asking here!

[eluser]Byrro[/eluser]
Actually, I´ve found out a problem:

In the function _set_cookie of the Session class, we have this code:

Code:

if ($this->sess_encrypt_cookie == TRUE)
        {
            $cookie_data = $this->CI->encrypt->encode($cookie_data);
        }

In the encryption class, the function encode is written this way:

Code:

function encode($string, $key = '')
    {
        $key = $this->get_key($key);
        $enc = $this->_xor_encode($string, $key);
        
        if ($this->_mcrypt_exists === TRUE)
        {
            $enc = $this->mcrypt_encode($enc, $key);
        }
        return base64_encode($enc);
    }

The problem is: the Session class calls the Encryption´s method "encode" without passing the second parameter. The encode method then looks first in the Encrypttion class constructor, which sets, by default, the encryption_key to empty string. Then it looks in the config file. So, It doesn´t matter if you set an encryption_key inside the Session class, it will always use the key set in the config file.

To workaround this problem, we have two ways: set a default encryption_key in the Encryption class, or pass the second parameter to the method encode. I´ve tested the first one and worked. Tried the second way (which is better, I think) but not successfully. Here´s the code I´m trying, in the Session class:

Code:

function CI_Session($params = array('encryption_key' => 'foobar'))

Code:

function _set_cookie($cookie_data = NULL)
    {
        (...)

        if ($this->sess_encrypt_cookie == TRUE)
        {
            $cookie_data = $this->CI->encrypt->encode($cookie_data, $this->encryption_key);
        }

Could someone please help me to get this working? Thank you!

[eluser]WanWizard[/eluser]
You not only have to fix the encode() call, but also the decode() call, in the sess_read() method.
It needs the same treatment to use your key to decrypt the cookie.

I think you should report this in the bug forum.

[eluser]Byrro[/eluser]
Thanks WanWizard!
It´s working now.
I´ll report it in the bug forum.