Session Limit in CodeIgniter Session Library

[eluser]eyupci[/eluser]
I have an annoying and interesting problem in codeigniter session library.

I'm builging a form within multiple steps. I am saving form values in session for passing one step to another. I configured session to store it in database.That's okay so far.

However, I have a textarea (Rich text editor) and users can paste a bunch of document like 15 or 16 pages long.
In that time, when I wrote this post data(coming from rich text editor) to session, it is blowed up. I try to read, and I see session is empty(!). My test result is after 65KB of data, problem is occurred.

The data type of field in session table is BLOB, database engine is MyISAM.

Is this a bug ? Does someone have an idea ?

Thanks for your advice.

[eluser]jedd[/eluser]
[quote author="eyupci" date="1245976867"]
Is this a bug ? Does someone have an idea ?
[/quote]

Probably not, and probably yes.

How big is your blob? By default MySQL BLOB types are 64K (a number that can, to the untrained eye, look like 65K).

'Real' session data (cookies) can be 4KB.

[eluser]Dam1an[/eluser]
Jedd, it text thats limited to 64K, Blob has a theoretical limit of 2Gb, but will normally cause problems once it goes above a few hundred meg, see here for more

Try using LONGTEXT, that can handle 4 trillion characters. (or MEDIUMTEXT for 16 milion characters)

[eluser]jedd[/eluser]
[quote author="Dam1an" date="1245978102"]Jedd, it text thats limited to 64K, Blob has a theoretical limit of 2Gb, but will normally cause problems once it goes above a few hundred meg ...[/quote]

There's two things I hate right now about documentation - what the PHP guys did to their front / index page of their reference manual (you now have to guess where your string functions hide), and what the MySQL guys (or probably Sun) did to their reference manual (it's just plain ugly - ctrl-f is way faster than any server-based search function can ever be, and I know that makes me sound old fashioned but that's just because I'm right).

In any case, all it means is that I'll have to quote my own MySQL refman rather than point you at an online reference as I simply can't find this at the current MySQL site:

A BLOB column with a maximum length of 65,535 (2^16 – 1) bytes. Each BLOB value is stored using a two-byte length prefix that indicates the number of bytes in the value.

You might be thinking of some other data types that MySQL offers: MEDIUMBLOB (16 MB) or LONGBLOB (4 GB).

[eluser]Dam1an[/eluser]
[quote author="jedd" date="1245979720"]
There's two things I hate right now about documentation - what the PHP guys did to their front / index page of their reference manual (you now have to guess where your string functions hide), and what the MySQL guys (or probably Sun) did to their reference manual (it's just plain ugly - ctrl-f is way faster than any server-based search function can ever be, and I know that makes me sound old fashioned but that's just because I'm right).[/quote]

People actually go to a site to search it? I just put the site name and query into Google, much faster and seems to give me what I want?

Also, I just had a thought... Depending on the load on you're site, would reading and writing that much session data to the database not cause some potetially serious congestion?
Having to potentially read and write the contents of a 16 page doc from/to the database for each page of the form process seems... slow

[eluser]eyupci[/eluser]
jedd,
I tried longtext,longblob and any other types, but result is the same. Still session is deleted when I try to add heavy data. Something is blocking but I can't find.

Dam1an,
I am aware of how bad thing processing heavy data with forms and session, but in that case it seems I have no choice, customer didn't want to upload the file and reach it from somewhere in the site. He is insisting to see it in html format and make it searchable.

Now I am trying with native PHP session functions. If it is work, then I'll send my best wishes to codeigniter.

[eluser]Dam1an[/eluser]
Is the actual data row being deleted froom the database, or is it just not accessible via the session class?
Does anything show up in the logs?

[eluser]eyupci[/eluser]
Hi again, problem still exists and now I found what causes it. It's not a capacity problem, When I looked log files, I saw this:

Message: unserialize() [<a href='function.unserialize'>function.unserialize</a>]: Error at offset
674 of 678 bytes

This kind of input "'asd'"\' ´'"' bollows up the session. Default xss_filter option is on and really confused why codeigniter lets it happen.

[eluser]eyupci[/eluser]
I noticed that only \ character is enough to destroy session.

[eluser]eyupci[/eluser]
Okay I fixed the problem and see that there are some other topics that are very related. My CI version is 1.7.1 and when I looked the latest file in subversion, there is still this problem.

To reproduce the bug configure your session storing as database and make an array with two or more dimensions. And save it to session. After refresh or go another page, you'll see that your session data is gone and you'll see unserialize errors in log.

In Session.php library there are two functions _serialize and _unserialize. Codeigniter guys hopefully think slash character ('\') can cause problems but it's not enough

Code:

#Session.php File
function _serialize($data)
{
  if (is_array($data))
  {
    foreach ($data as $key => $val) {
      $data[$key] = str_replace('\\', '{{slash}}', $val);            
    }  
  }else {
    $data = str_replace('\\', '{{slash}}', $data);        
  }
  return serialize($data);    
}

As you see there is a check for being array of coming data. However it only replace slashes for only one level of array.
If your data like:
$array['index1']['index2']['index3'] = '\ illegal slash character'

Than this function will not replace slash character with {{slash}} string. Then unserialize method will not work. Blow Session(!)

Same problem is also exists in _unserialize function. So you should modify these functions and have to write a recursive function to replace slash characters. That's my quick solution and works fine.