Lost Session - session cookie encryption issue

[eluser]Cifa[/eluser]
Hi everybody,

I don't know if somebody has got the same problem but I'll share it just in case :-)

When using the Session class with encryption the Encrypt->decode method occasionally returned FALSE and the session was lost. I did some debugging:

Session->sess_read

Code:

$session = $this->CI->input->cookie($this->sess_cookie_name);

// No cookie?  Goodbye cruel world!...
if ($session === FALSE)
{
   log_message('debug', 'A session cookie was not found.');
   return FALSE;
}

// extra debugging        
log_message('debug', 'Cookie string: '.nl2br($session));

// Decrypt the cookie data
if ($this->sess_encrypt_cookie == TRUE)
{
   $session = $this->CI->encrypt->decode($session, $this->encryption_key);
}

and Encrypt->decode

Code:

function decode($string, $key = '')
    {
        $key = $this->get_key($key);
        
        if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string, $matches))
        {    
            log_message('debug', "Encryption ERROR - invalid string: $string invalid matches: ".serialize($matches));
            return FALSE;
        }

        $dec = base64_decode($string);

        if ($this->_mcrypt_exists === TRUE)
        {
            if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE)
            {
                return FALSE;
            }
        }

        return $this->_xor_decode($dec, $key);
    }

and to my surprise got this in my log file:

DEBUG - 2010-11-19 15:01:10 --> Session Class Initialized
DEBUG - 2010-11-19 15:01:10 --> Helper loaded: string_helper
DEBUG - 2010-11-19 15:01:10 --> Encrypt Class Initialized
DEBUG - 2010-11-19 15:01:10 --> Cookie string: ownG2IhiGI4LJXr0NiZMfTir5+lL9Uo6zB4azgaICDZKbyL7xZmlcdWDQlNcCVzyrNslYvtPfEqbY3hnXR7A5yQnwzYe7R60iqbFDn+oqXs3YJlFmVk8Oj6VqkJI1XSCd9LP0GWLpFSRpQumWqMMsJA8BHoMDW08rhmB2x8/z/F+qH/iETzaEENaQCdNNkCfq/Cx3YXYi/PVoVUvJKqDdpBrw2uD90epaMPRVyygpDB5O9CQs/1IPoaUyGvePa1jbPQBcA9fV/gyxFGk27kbBhvfpe2P2a3M473mXr4omPpLBfFf1lDIwD7dH0ehP2z6xiUgNomowSF04FmkfUPqwvWjx+/R6uQCPnX4SuqfYwDSIH0LPeisC+PqgjJWU78u0ISphjF5OnBCusqdP4LEt+4wAHpKMjXODuvhC28fRbsPlUCml8zNT38bENMtT6TcS6+Tith8U0TftJ2ltWEeVvld3r3MU2iq3i3iACxXQZEHhoalGVNxua3bGI3N2KvVL3UjyWloxDkw2L79Vor47czCHTU0LYSdteJef2CkiMtNSFoRkw4ZcR7SX3hKJaRmOT3JkArcR8CCixqckSHnpqyw5RKJW6cUKhsq55jli2lEg59S3XEARu/0MRP0A6TQ<br />

DEBUG - 2010-11-19 15:01:10 --> Encryption ERROR - invalid string: ownG2IhiGI4LJXr0NiZMfTir5+lL9Uo6zB4azgaICDZKbyL7xZmlcdWDQlNcCVzyrNslYvtPfEqbY3hnXR7A5yQnwzYe7R60iqbFDn+oqXs3YJlFmVk8Oj6VqkJI1XSCd9LP0GWLpFSRpQumWqMMsJA8BHoMDW08rhmB2x8/z/F+qH/iETzaEENaQCdNNkCfq/Cx3YXYi/PVoVUvJKqDdpBrw2uD90epaMPRVyygpDB5O9CQs/1IPoaUyGvePa1jbPQBcA9fV/gyxFGk27kbBhvfpe2P2a3M473mXr4omPpLBfFf1lDIwD7dH0ehP2z6xiUgNomowSF04FmkfUPqwvWjx+/R6uQCPnX4SuqfYwDSIH0LPeisC+PqgjJWU78u0ISphjF5OnBCusqdP4LEt+4wAHpKMjXODuvhC28fRbsPlUCml8zNT38bENMtT6TcS6+Tith8U0TftJ2ltWEeVvld3r3MU2iq3i3iACxXQZEHhoalGVNxua3bGI3N2KvVL3UjyWloxDkw2L79Vor47czCHTU0LYSdteJef2CkiMtNSFoRkw4ZcR7SX3hKJaRmOT3JkArcR8CCixqckSHnpqyw5RKJW6cUKhsq55jli2lEg59S3XEARu/0MRP0A6TQ
invalid matches: a:1:{i:0;s:1:"
";}
DEBUG - 2010-11-19 15:01:10 --> Cookie error: Incorrect format
DEBUG - 2010-11-19 15:01:10 --> Session NEW Session Created
DEBUG - 2010-11-19 15:01:10 --> New Cookie Being Set: pKc1tKscRhIpM36ap0G/OtMK4DdpUmIRRK9ppjAEJQYnWOz9gBjAGubIWVC9dmofAPpa2ciCMZTH9GDJ/5YyIh9MqwRsCvIcggnPABVWlxvEw3RL5EWpNxMmFs4Ev1tz6bNNy0k0uY/FYrEt8QEWQmSob4ehrJ/25Kiq7aBLUKxmcrtWnOni8vVspPYYxu/CzqXiFJIWYheqGQwbijlwRMAQM+PNIWdkt4sg5SzauEaph90swH+xUyIqQaImLYrA4TxZ7sSbTuLYION2sLMmbs4oDIo6C+AeVHouh8ew7TGgK46lyD2+JddIh/nV9GMN5uLj+6aPCla3Bn9AhTCL4iXDLsqnP+y2T9D6Ts68vEHKBvL2GXJsVxvuIrhQmBuU0/f8qvwioK49HkGH7NfElg16JlWa85/jhKl839NlxE30BMoWZuc9dYOdHNbtriu+geSQBUsR5+iRdaESLc5k1oUMBGSNcGy3V9Xild7ak5jPNpMMCnQAWqh+nSgh3cIVYY1Cj23EUNC/TnH6ZilKd04lrjwOKiZgZUIe4y9w+YlLSbTcixNlWJhzB0/GR/aOy2BGuXjMamOSRc5Am7dObH7FdvjysgDAgBUqpDCRR+OwH7XT/qk40zorubzRp1Qu
DEBUG - 2010-11-19 15:01:10 --> Session routines successfully run


Conclusion: For an unknown reason the cookie session string has occasionally a newline character added to the end. This gets caught by the regular expression in the Encrypt class when the decode method is called and results in FALSE being returned. This consequently kills the current session and creates a new one.

Hopefully, trimming the session string should fix the problem

[eluser]WanWizard[/eluser]
never seen this behaviour before.

What environment (CI version, PHP version, Webserver, OS)?

[eluser]Cifa[/eluser]
OK some more details:

Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k
PHP/5.2.12
CodeIgniter 1.7.1

Windows Server 2003 R2 service pack 2

One other thing.... I work in a school. That means we're behind a couple of proxies and use SmoothWall web filtering. It is possible that this might be the cause of this strange behaviour.

Anyway, it doesn't really what causes it. The point is it can happen and therefore CodeIgniter should cater for it. Maybe the session string should be run through a regex to remove all disallowed characters before it's processed??

[eluser]WanWizard[/eluser]
Quite possible, I haven't been able to reproduce this. I'm not sure CI should cater for every individual issue that can arise in a specific environment.

This is very easy to fix, by creating an Encrypt extension :

Code:

class MY_Encrypt extend Encrypt
{
    function decode($string, $key = '')
    {
        return parent::decode(rtrim($string, "\r\n"), $key);
    }
}

[eluser]Cifa[/eluser]
Well, I beg to differ. I think CodeIgniter should strive to work in as many specific environments as possible without these kinds of fixes. If there is the potential for this unpredictable behaviour and it is as easy to fix as this one then why not add it to the core class just to make sure it simply cannot happen.

If this is caused, for example, by the SmoothWall web filter there might be quite a few people out there wondering why they get occasionally kicked out of some web applications for no apparent reason.