Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming DB Session fails User Agent match
DB Session fails User Agent match
  • El Forum
    Guest
  •  
#1
07-09-2010, 10:43 AM

[eluser]paulkmoore[/eluser]
Hi

Hope I am posting this to the correct place, please redirect as required.

I have found a bug in DB Session (library) that causes sessions to be destroyed for some User Agent names

The validation checks (as per extract below) correctly test for a User Agent match, and trim the field read from the database.

Code:
$this->CI->db->where('session_id', $this->session_id);
if ($this->CI->config->item('sess_match_ip') == TRUE) {
              $this->CI->db->where('ip_address', $this->CI->input->ip_address());
      }
      if ($this->CI->config->item('sess_match_useragent') == TRUE) {
        $this->CI->db->where('user_agent', trim(substr($this->CI->input->user_agent(), 0, USER_AGENT_MAX_SIZE)));

However, the User Agent is NOT trimmed before being written to the database in sess_create().

This has caused (for me) both Safari and Chrome browsers to end up in a nasty 'session destruction' loop, where the User Agent match fails because of a trailing space which is successfully written to the DB, but only trimmed from the inbound data.

Fixed is to trim before write as below:

Code:
// Fix added by PKM on 2010-0709 to trim the user agent string on writing to DB, else match fails when user agent ends with a space
'user_agent'     => trim(substr($this->CI->input->user_agent(), 0, USER_AGENT_MAX_SIZE)),
//'user_agent'     => substr($this->CI->input->user_agent(), 0, USER_AGENT_MAX_SIZE),

Somewhat annoyingly the session is 'silently' destroyed - so this could also benefit from some improved logging.

Hope this helps someone

Thanks

Paul
  • El Forum
    Guest
  •  
#2
07-11-2010, 06:28 AM

[eluser]WanWizard[/eluser]
What do you mean by "DB Session"?

I can't find this code anywhere in the CI session library (both 1.7.2 and 2.0).
  • El Forum
    Guest
  •  
#3
07-11-2010, 08:07 AM

[eluser]davidbehler[/eluser]
I think he's talking about this library: http://codeigniter.com/wiki/DB_Session/
  • El Forum
    Guest
  •  
#4
07-11-2010, 09:14 AM

[eluser]WanWizard[/eluser]
Ah, ok.

According to the wiki text, this thing is based on the CI 1.4 session library, and never updated. Also, the primary reason for that library to exist was that at the time, the CI session library didn't have database support. Which is no longer the case.

Ditch the DB Session library, and use the standard CI one...
  • El Forum
    Guest
  •  
#5
07-11-2010, 05:13 PM

[eluser]paulkmoore[/eluser]
Hi

waldmeister - Yes, that's the library I'm talking about - sorry for not being more explicit.

WanWizard - the wiki information states that the library supports CI 1.4 and 1.5, and latterly references versions > 1.5. In the source there are references to 1.54 and 1.6.

Whilst I understand that this isn't terribly recent, the libraries work well and I believe originate from EllisLabs (extract from the lib below)

Code:
@package    CodeIgniter
@author        ExpressionEngine Dev Team
@copyright    Copyright (c) 2006, EllisLab, Inc.

The current CI session library sends all information stored in the session to the client cookie. Whilst this may be useful for some applications, I'd rather my internal user information didn't spill onto the client machine. The DB Session library was I understand designed in order that client cookie only contains the session id (and no other data) which is what I need.

If somebody could clarify where I should log this bug (CI Bug Tracker?) or perhaps somewhere for EllisLabs' other libraries that would be useful.
  • El Forum
    Guest
  •  
#6
07-12-2010, 12:25 AM

[eluser]WanWizard[/eluser]
The current CI session library does NOT send all information to the client!

The DB library was make for a CI version that did, but since then the CI library supports database sessions as well.

As per the user guide:
"The Session class permits you maintain a user's "state" and track their activity while they browse your site. The Session class stores session information for each user as serialized (and optionally encrypted) data in a cookie. It can also store the session data in a database table for added security, as this permits the session ID in the user's cookie to be matched against the stored session ID. By default only the cookie is saved. If you choose to use the database option you'll need to create the session table as indicated below.".

Read the documentation before you assume things.
  • El Forum
    Guest
  •  
#7
07-12-2010, 07:24 AM

[eluser]danmontgomery[/eluser]
[quote author="paulkmoore" date="1278907997"]
Code:
@package    CodeIgniter
@author        ExpressionEngine Dev Team
@copyright    Copyright (c) 2006, EllisLab, Inc.
[/quote]

Where did this come from? The file reads:

Code:
/**
* Session Class
*
* @package        CodeIgniter
* @subpackage    Libraries
* @category    Sessions
* @author        Dready
* @inpiredFrom Session class by Rick Ellis
* @inspireFrom Native_Session by Dariusz Debowczyk
* @link        http://dready.jexiste.fr/dotclear/index.php?2006/09/13/19-reworked-session-handler-for-code-igniter
*/
  • El Forum
    Guest
  •  
#8
07-12-2010, 10:31 AM

[eluser]Derek Allard[/eluser]
Hey Paul,

Even though this doesn't appear to be our code, I just wanted to say that this was a great job of figuring out what the problem was, and offering a solution. I see so many reports along the lines of "active record doesn't work", that its great to see a well put together report.

Looking forward to seeing more of your posts on the forums, and wanted to welcome you aboard.




Theme © iAndrew 2016 - Forum software by © MyBB