08-29-2007, 03:24 PM
[eluser]alpar[/eluser]
I use sessions stored in a database, and enabled user agent matching.
Actually i had modified the original library to store all the data in the database, but i also checked the original library, and it seems that is the same.
when sawing the session id only 50 characters are saved like so
Now imagine that the user agent is computed in such a way that the last character is a space. When you insert it in the database, MySQL will strip that off, inserting a string of length:49 characters. When re matching a string of 50 characters (with the last space) will not match a 49 character string(without it). So the session system gets useless for the user that is unfortunate enough to have such a user agent. I got one with suse linux 10.2 + firefox...
a solution: store and compare the md5 hash of the first 50 characters of the user agent.
I use sessions stored in a database, and enabled user agent matching.
Actually i had modified the original library to store all the data in the database, but i also checked the original library, and it seems that is the same.
when sawing the session id only 50 characters are saved like so
Code:
substr($this->CI->input->user_agent(), 0, 50)Now imagine that the user agent is computed in such a way that the last character is a space. When you insert it in the database, MySQL will strip that off, inserting a string of length:49 characters. When re matching a string of 50 characters (with the last space) will not match a 49 character string(without it). So the session system gets useless for the user that is unfortunate enough to have such a user agent. I got one with suse linux 10.2 + firefox...
a solution: store and compare the md5 hash of the first 50 characters of the user agent.
