CodeIgniter validates data that doesn't concern it

[eluser]TheseAreTheFables[/eluser]
I have a server where I host several websites or mini-websites, all under the same domain. All these websites are independent and developed using various frameworks or CMS. They may have session data, set cookies, etc. although they obviously don't share any data.

Now, for some reason, CodeIgniter, on startup, seems to be looping through all the cookies on my domain and try to validate them. That includes cookies that it didn't create (or need). The problem is that one of these other websites creates cookies that are deemed invalid by CodeIgniter. As a result, it crashes with a "Disallowed Key Characters" error. I checked the key and it's definitely created by a different web page. The cookies have names such as "c[nameofwebsite.com][/][authtoken]" and are created by Glype. I guess the fact that there's a "." in the name is the "problem".

Is it a known bug? Is there any way to prevent this error? I know I can comment out the _clean_input_data() function in Input.php but I would like a more permanent fix. Any suggestion?

[eluser]InsiteFX[/eluser]
I think you will find that you have some other problem somwhere's! The CodeIgniter Session Class uses the cookie name you define in application/config/config.php the default is ci_sessions so it is not reading other cookies. It only reads ci_session cookie name unless you change the name.

You can verify this by viewing system/libraries/sessions.php

InsiteFX

[eluser]TheseAreTheFables[/eluser]
Hmm... I'm not sure how sessions and cookies work in general but it's definitely doing something it shouldn't be doing. It's actually very easy to replicate - just put a clean install of Glype and a clean install of CI on a server. Run Glype once then run CI, and it crashes. I got this error in both my local and live server.

When I look at Input.php::_sanitize_globals(), there's a long comment which says: "Also get rid of specially treated cookies that might be set by a server or silly application, that are of no use to a CI application anyway but that when present will trip our 'Disallowed Key Characters' alarm"

So it looks like it's indeed checking stuff that are "of no use to a CI application" and crashing on it.

Also it seems that the purpose of this routine is to clean-up keys so that they don't trigger the "Disallowed Key Characters" crash. However, instead of doing that, it's triggering the message it's trying to avoid.

[eluser]InsiteFX[/eluser]
Awww! I see what your saying now and you our right!

I would report this to the Reactor Team as a BUG to get it fix ASP.

InsiteFX

[eluser]guidorossi[/eluser]
Have you tryed setting up this con config.php?

Code:

/*
|--------------------------------------------------------------------------
| Cookie Related Variables
|--------------------------------------------------------------------------
|
| 'cookie_prefix' = Set a prefix if you need to avoid collisions
| 'cookie_domain' = Set to .your-domain.com for site-wide cookies
| 'cookie_path'   =  Typically will be a forward slash
|
*/
$config['cookie_prefix']    = '';
$config['cookie_domain']    = '';
$config['cookie_path']        = '/';

May be setting the cookie path to you're CI application path on the damain can work...

[eluser]InsiteFX[/eluser]

Code:

// Clean $_COOKIE Data
        if (is_array($_COOKIE) AND count($_COOKIE) > 0)
        {
            // Also get rid of specially treated cookies that might be set by a server
            // or silly application, that are of no use to a CI application anyway
            // but that when present will trip our 'Disallowed Key Characters' alarm
            // http://www.ietf.org/rfc/rfc2109.txt
            // note that the key names below are single quoted strings, and are not PHP variables
            unset($_COOKIE['$Version']);
            unset($_COOKIE['$Path']);
            unset($_COOKIE['$Domain']);

            foreach ($_COOKIE as $key => $val)
            {
                $_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
            }
        }

        // Sanitize PHP_SELF
        $_SERVER['PHP_SELF'] = strip_tags($_SERVER['PHP_SELF']);


        // CSRF Protection check
        if ($this->_enable_csrf == TRUE)
        {
            $this->security->csrf_verify();
        }

        log_message('debug', "Global POST and COOKIE data sanitized");
    }

Where do you see a cookie prefix here?

InsiteFX

[eluser]TheseAreTheFables[/eluser]
Yes, changing CodeIgniter's configuration won't change anything since it's checking all the cookies regardless of the prefix. Thanks for confirming that it's indeed a bug and not a feature; I will submit it to the bug tracker and see what happens.