Welcome Guest, Not a member yet? Register   Sign In
My big fear about storing session data directly on cookies
#11

[eluser]fredpyo[/eluser]
Ouch, I've been a long time out :S.
Thanks for the interesting replies!

Today I faced the aforementioned CI app. And today was a good day, after half an hour or so I got it fixed.

....

It all began with me tinkering a little bit more with setcookie function.

Turns out, that in my current installation, code like this:
Code:
setcookie('test',1);
setcookie('test',2);
setcookie('test',3);

Prints the following headers:
Quote:Set-cookie: test=1 test=2 test=3
Instead of:
Quote:Set-cookie: test=3

So... I read a little bit more, and tested a little bit more. It turns out that in my server when I call setcookie, even if the variable name is the same as an existing cookie name, the previous cookie var one is not replaced by the new one, instead the new one is appended to the cookie, including the old cookie var. Odd behaviour!

So on I went with my investigation, until using header('Set-cookie....'); saved the day for me.

Doing the following "patches" to the function sess_write() in CI's Session.php file:
Code:
//setcookie(...) // comment setcookie for it doesn't seem to work correctly
$cookie_data = urlencode($cookie_data);
$expires = date("D, j-M-Y G:i:s e", $this->sess_length + time());
header("Set-Cookie: {$this->sess_cookie}=$cookie_data; expires=$expires; path=/; ");

(I should really place this as an extension...)

Fun, isn't it?
#12

[eluser]Chillahan[/eluser]
Ah, so the issue only exists if you update the same session item multiple times before outputting to the browser? That is what your tests appear to bring to light. If so, that's not such a big issue, unless you have existing code that relies on being able to override existing to-be-written cookie/session data before output is flushed to the browser.

I thought the original post was saying that all session cookie data kept appending to itself, which would seem to make lots of installations hit the 4 KB limit quickly, but I can see more exactly what his issue was now. (which I don't think IS an issue for most installations)
#13

[eluser]fredpyo[/eluser]
Actually, all session cookie data kept appending to itself. Each time that I accesed any session data through the CI session object, sess_write is called (normal) and thus setcookie is called (normal) but instead of replacing the old session data, the new one is appended.

I think it might be some obscure issue with the PHP version I'm using or a configuration issue.
#14

[eluser]Colin Williams[/eluser]
Sounds like you're not even using the core Session class at all. Because if you were, you'd be setting cookie data with $this->session->set_userdata($array);
#15

[eluser]fredpyo[/eluser]
Oh, but I am actually using the core Session class Colin Smile.
Quote:... Each time that I accesed any session data through the CI session object ...

I just dug into the code to see how it worked. Under the hood, this is CI's Session class does:
1. From a controller, I call the following: $this->session->set_userdata($array);
2. Inside set_userdata(), once the data is copied to the data array, $this->sess_write() is called
3. sess_write() serializes the data and calls the setcookie() PHP function, which basically loads the cookie data into the headers.


So, the following CI code:
$this->session->set_userdata($data1);
$this->session->set_userdata($data2);
$this->session->set_userdata($data3);

Results in 3 calls to PHP's setcookie().

That's why in my tests, I simply called setcookie, to check if the error was a CI error or a PHP error (either because of a bug or misconfiguration) revolving around setcookie.

Indeed I discovered that several calls to setcookie seem to append rather than replace the cookie values, patching Session.php (CI's core session class) with header('Set-cookie:...'); worked just fine.


Hope it came out clear Big Grin.
Did I miss anything? Did I just "patch" something that didn't need a patch?
#16

[eluser]JGarrido[/eluser]
I'd be interested to know as well, as I'm currently working on the sessions portion of my first CI site.
#17

[eluser]Derek Allard[/eluser]
You may be interested in this. http://derekallard.com/blog/post/codeign...-database/
#18

[eluser]JGarrido[/eluser]
Ah nice, thanks for the post Derek, I'll have to take a closer look at the new changes.

So... what kinda date are we looking at for the next gold release? :cheese:
#19

[eluser]Derek Allard[/eluser]
Of CI? You know... whenever its ready. Smile
#20

[eluser]JGarrido[/eluser]
Doh! Fair enough, I'm glad you folks are committed to such solid releases.




Theme © iAndrew 2016 - Forum software by © MyBB