How to get userdata from encrypted sessions database according to session id?

[eluser]Christophe28[/eluser]
Hello,

I'm trying to install swf upload in codeigniter. I managed to install everything properly and the upload function works fine. So far so good!

But now I'd like to put the uploadfile in the correct directory according to the username which is set in the sessions database. However there is a small bug in swfupload where they get arround by sending the session id of the users COOKIE in a POST. So in the upload() function I get this by ... $this->input->post('PHPSESSID') ... but then what?

How can I get the username belonging to the PHPSESSID?

Thx for any help!

Christophe

[eluser]pickupman[/eluser]
In application/config/config.php, you can enable session information to be stored in DB. A little more secure than file method. In the user guide, there is the sql statement to add it to your database. Then query the ci_sessions table for the session id you have.

[eluser]Christophe28[/eluser]
Hi,

Yes, the database is already setup, but when I query the sessions database using the session_id I get as userdata (where the username is in) something like:

Code:

[user_data] => a:3:{s:7:"user_id";s:1:"1";s:8:"username";s:10:"Somename";s:9:"logged_in";s:1:"1";}

How can I get the username from this result?

Best,
Christophe

[eluser]danmontgomery[/eluser]
That's a serialized array. You can turn it back into an array with unserialize()

[eluser]Christophe28[/eluser]
I would be really, really happy if somebody could help me out here. I have searched the internet including this forum, but I'm stuck on the following problem ...

The '$this->input->post(‘PHPSESSID’)' I mentioned earlier don't work anymore. There was a COOKIE with 'PHPSESSID' set in the earlier stage of development which was still saved in the browser, but after deleting all my cookies I saw that the new COOKIE looks like:

VALUE = vMjy67ozc9qO+tMhCsFiE9OlT7FWfJ2CiESWSSKwIDPB5RfMy4v0NelzxvpnHOGIE5bmb4JFfNdhPMYbF1 iKjQdVjbW2m//8Xb8Y+KlyG+PE5SnzK3HITwoPqKoo+kdjHK17B3ZsrFvEj/y9yaENrtKbgYX2oLaxxLnLXl7EXgtn MJwtlzOlwfc4WuwyFycSB3DbaJMC7Mz6KiYUWmUJOI2Lu+ ... and so on.

I think this is an encrypted cookie?

So now I'm back to off again. I use the swfupload.cookies.js plugin which sends the value of the cookie along with the uploadurl as parameters but how to handle this on the server? I don't know what and how to catch this parameter?

I'm really stuck here. Can somebody please help me out? I would be so happy if this would work!

If you need additional information, please reply to this mail.

Thanks!!!

Christophe

swfupload.cookies.js plugin

Code:

/*
    Cookie Plug-in
    
    This plug in automatically gets all the cookies for this site and adds them to the post_params.
    Cookies are loaded only on initialization.  The refreshCookies function can be called to update the post_params.
    The cookies will override any other post params with the same name.
*/

var SWFUpload;
if (typeof(SWFUpload) === "function") {
    SWFUpload.prototype.initSettings = function (oldInitSettings) {
        return function () {
            if (typeof(oldInitSettings) === "function") {
                oldInitSettings.call(this);
            }
            
            this.refreshCookies(false);    // The false parameter must be sent since SWFUpload has not initialzed at this point
        };
    }(SWFUpload.prototype.initSettings);
    
    // refreshes the post_params and updates SWFUpload.  The sendToFlash parameters is optional and defaults to True
    SWFUpload.prototype.refreshCookies = function (sendToFlash) {
        if (sendToFlash === undefined) {
            sendToFlash = true;
        }
        sendToFlash = !!sendToFlash;
        
        // Get the post_params object
        var postParams = this.settings.post_params;
        
        // Get the cookies
        var i, cookieArray = [removed].split(';'), caLength = cookieArray.length, c, eqIndex, name, value;
        for (i = 0; i < caLength; i++) {
            c = cookieArray[i];
            
            // Left Trim spaces
            while (c.charAt(0) === " ") {
                c = c.substring(1, c.length);
            }
            eqIndex = c.indexOf("=");
            if (eqIndex > 0) {
                name = c.substring(0, eqIndex);
                value = c.substring(eqIndex + 1);
                postParams[name] = value;
            }
        }
        
        if (sendToFlash) {
            this.setPostParams(postParams);
        }
    };

}

[eluser]danmontgomery[/eluser]
It's being posted along with the other data, and you can see how the cookie is decrypted if you look at sess_read() in the session library:

Code:

$session = $this->CI->input->cookie($this->sess_cookie_name);

// No cookie?  Goodbye cruel world!...
if ($session === FALSE)
{
    log_message('debug', 'A session cookie was not found.');
    return FALSE;
}

// Decrypt the cookie data
if ($this->sess_encrypt_cookie == TRUE)
{
    $session = $this->CI->encrypt->decode($session);
}

[eluser]Christophe28[/eluser]
Hi,

Thank you!!! You brought me again a step closer, but I noticed a problem (well ... I think it's a problem)

During login there is a cookie set with some userdata (username, user_id, ...) and it is that user_data I'm after. But when I click on upload (which is in swfupload a small flashbutton) apparently there is another session started and its that cookie which is send along with the upload. In other words, when I decode the cookie, unserialize() it and show the session_id, I get the session_id of the second session with as user_agent 'Shockwave Flash', not the session_info from the authentication cookie which I need ...

How can I get arround this?

Thank you very much for your help!!!

Christophe

[eluser]pickupman[/eluser]
I haven't used SWFupload as the syntax seemed pretty long for uploads, but would it be possible to pass your hidden input with the one sent from SWFUpload.

[eluser]Christophe28[/eluser]
Hi,

I have simplefied the problem a little bit. I have noticed I can't catch the cookie only when the $config['sess_use_database'] is set to TRUE. When I set this in config.php to FALSE I can catch the cookie which is send along with the upload (using the swfupload.cookies.js like mentioned above) using the following (simple) code:

Code:

// catch the encrypted cookie
$enc_cookie = $this->input->post('sess_cook');
        
// decode the encrypted cookie
$cookie = $this->encrypt->decode($enc_cookie);
$session = unserialize($cookie);

// put the session username (from the cookie, not from session) in the database just to test
$this->load->model('my_model');
$this->my_model->insert($session['username']);

But I would like to use the sessions database (anyway) so I can compare the session id from the cookie with the session id from the database to authenticate the upload and get the username from the session stored in the database.

Does anybody know why there is no cookie post when I store the sessions in the database?

Almost there! Thanks for all your help!

Christophe

[eluser]WanWizard[/eluser]
Offcourse there is. How do you think the session class can match the request to the correct session record?

As per the manual: When you use database backed sessions, NO userdata is stored in the cookie. So no way to retrieve information from the cookie client-side.

You keep on referring to PHPSESSID. In CI, that does not exist. You get the session ID with $this->session->userdata('session_id');
The only way I've ever got SWFupload to work was to retrieve the session id in the controller, and include it as a variable so that SWFupload could sent it back using POST. Then extend the session library to use this posted variable to retrieve the session, instead of the session cookie.

Note: this is extremly insecure. You can better fetch the encrypted session cookie value, have SWFupload post that back, and use that in your extended Session library.