DB Session fails User Agent match |
[eluser]paulkmoore[/eluser]
Hi Hope I am posting this to the correct place, please redirect as required. I have found a bug in DB Session (library) that causes sessions to be destroyed for some User Agent names The validation checks (as per extract below) correctly test for a User Agent match, and trim the field read from the database. Code: $this->CI->db->where('session_id', $this->session_id); However, the User Agent is NOT trimmed before being written to the database in sess_create(). This has caused (for me) both Safari and Chrome browsers to end up in a nasty 'session destruction' loop, where the User Agent match fails because of a trailing space which is successfully written to the DB, but only trimmed from the inbound data. Fixed is to trim before write as below: Code: // Fix added by PKM on 2010-0709 to trim the user agent string on writing to DB, else match fails when user agent ends with a space Somewhat annoyingly the session is 'silently' destroyed - so this could also benefit from some improved logging. Hope this helps someone Thanks Paul
[eluser]WanWizard[/eluser]
What do you mean by "DB Session"? I can't find this code anywhere in the CI session library (both 1.7.2 and 2.0).
[eluser]davidbehler[/eluser]
I think he's talking about this library: http://codeigniter.com/wiki/DB_Session/
[eluser]WanWizard[/eluser]
Ah, ok. According to the wiki text, this thing is based on the CI 1.4 session library, and never updated. Also, the primary reason for that library to exist was that at the time, the CI session library didn't have database support. Which is no longer the case. Ditch the DB Session library, and use the standard CI one...
[eluser]paulkmoore[/eluser]
Hi waldmeister - Yes, that's the library I'm talking about - sorry for not being more explicit. WanWizard - the wiki information states that the library supports CI 1.4 and 1.5, and latterly references versions > 1.5. In the source there are references to 1.54 and 1.6. Whilst I understand that this isn't terribly recent, the libraries work well and I believe originate from EllisLabs (extract from the lib below) Code: @package CodeIgniter The current CI session library sends all information stored in the session to the client cookie. Whilst this may be useful for some applications, I'd rather my internal user information didn't spill onto the client machine. The DB Session library was I understand designed in order that client cookie only contains the session id (and no other data) which is what I need. If somebody could clarify where I should log this bug (CI Bug Tracker?) or perhaps somewhere for EllisLabs' other libraries that would be useful.
[eluser]WanWizard[/eluser]
The current CI session library does NOT send all information to the client! The DB library was make for a CI version that did, but since then the CI library supports database sessions as well. As per the user guide: "The Session class permits you maintain a user's "state" and track their activity while they browse your site. The Session class stores session information for each user as serialized (and optionally encrypted) data in a cookie. It can also store the session data in a database table for added security, as this permits the session ID in the user's cookie to be matched against the stored session ID. By default only the cookie is saved. If you choose to use the database option you'll need to create the session table as indicated below.". Read the documentation before you assume things.
[eluser]danmontgomery[/eluser]
[quote author="paulkmoore" date="1278907997"] Code: @package CodeIgniter Where did this come from? The file reads: Code: /**
[eluser]Derek Allard[/eluser]
Hey Paul, Even though this doesn't appear to be our code, I just wanted to say that this was a great job of figuring out what the problem was, and offering a solution. I see so many reports along the lines of "active record doesn't work", that its great to see a well put together report. Looking forward to seeing more of your posts on the forums, and wanted to welcome you aboard. |
Welcome Guest, Not a member yet? Register Sign In |