From 74c5f2668d31f7384ea5f014014356144059cbf3 Mon Sep 17 00:00:00 2001 From: Tyler Brownell Date: Fri, 13 Dec 2013 00:23:12 -0500 Subject: Issue #2763 - Fixes Session GC Probability Calculation This should resolve issue #2763 where the cookie session garbage collection was running every request. --- system/libraries/Session/drivers/Session_cookie.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/libraries/Session/drivers/Session_cookie.php') diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index d3d22d03a..cd8074474 100644 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -841,7 +841,7 @@ class CI_Session_cookie extends CI_Session_driver { $probability = ini_get('session.gc_probability'); $divisor = ini_get('session.gc_divisor'); - if ((mt_rand(0, $divisor) / $divisor) < $probability) + if (mt_rand(1, $divisor) <= $probability) { $expire = $this->now - $this->sess_expiration; $this->CI->db->delete($this->sess_table_name, 'last_activity < '.$expire); -- cgit v1.2.3-24-g4f1b From 5d6b9c597a9870f55a65bcfcb301d19d83447078 Mon Sep 17 00:00:00 2001 From: Jordan Eldredge Date: Sat, 21 Dec 2013 13:56:41 -0800 Subject: Remove unneeded manual escaping of session data --- .../libraries/Session/drivers/Session_cookie.php | 63 ++-------------------- 1 file changed, 3 insertions(+), 60 deletions(-) (limited to 'system/libraries/Session/drivers/Session_cookie.php') diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index cd8074474..124e0098e 100644 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -739,86 +739,29 @@ class CI_Session_cookie extends CI_Session_driver { /** * Serialize an array * - * This function first converts any slashes found in the array to a temporary - * marker, so when it gets unserialized the slashes will be preserved + * This function serializes an array * * @param mixed Data to serialize * @return string Serialized data */ protected function _serialize($data) { - if (is_array($data)) - { - array_walk_recursive($data, array(&$this, '_escape_slashes')); - } - elseif (is_string($data)) - { - $data = str_replace('\\', '{{slash}}', $data); - } - return serialize($data); } // ------------------------------------------------------------------------ - /** - * Escape slashes - * - * This function converts any slashes found into a temporary marker - * - * @param string Value - * @param string Key - * @return void - */ - protected function _escape_slashes(&$val, $key) - { - if (is_string($val)) - { - $val = str_replace('\\', '{{slash}}', $val); - } - } - - // ------------------------------------------------------------------------ - /** * Unserialize * - * This function unserializes a data string, then converts any - * temporary slash markers back to actual slashes + * This function unserializes a data string * * @param mixed Data to unserialize * @return mixed Unserialized data */ protected function _unserialize($data) { - $data = @unserialize(trim($data)); - - if (is_array($data)) - { - array_walk_recursive($data, array(&$this, '_unescape_slashes')); - return $data; - } - - return is_string($data) ? str_replace('{{slash}}', '\\', $data) : $data; - } - - // ------------------------------------------------------------------------ - - /** - * Unescape slashes - * - * This function converts any slash markers back into actual slashes - * - * @param string Value - * @param string Key - * @return void - */ - protected function _unescape_slashes(&$val, $key) - { - if (is_string($val)) - { - $val = str_replace('{{slash}}', '\\', $val); - } + return @unserialize(trim($data)); } // ------------------------------------------------------------------------ -- cgit v1.2.3-24-g4f1b From 5306cad2e40596a3a6fcac787e54689a7095e769 Mon Sep 17 00:00:00 2001 From: Jordan Eldredge Date: Mon, 23 Dec 2013 11:10:51 -0800 Subject: Remove _serialize() and _unserialize() methods Since removing the unneeded manual escaping code, there is no-longer any reason to have the serialization functions abstracted. This also allows us to only suppress errors when unserializing cookie data, and only trim when we are unserializing database data (see commit 6b8312). --- .../libraries/Session/drivers/Session_cookie.php | 38 +++------------------- 1 file changed, 4 insertions(+), 34 deletions(-) (limited to 'system/libraries/Session/drivers/Session_cookie.php') diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index 124e0098e..dc75d8e8e 100644 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -397,7 +397,7 @@ class CI_Session_cookie extends CI_Session_driver { } // Unserialize the session array - $session = $this->_unserialize($session); + $session = @unserialize($session); // Is the session data we unserialized an array with the correct format? if ( ! is_array($session) OR ! isset($session['session_id'], $session['ip_address'], $session['user_agent'], $session['last_activity'])) @@ -472,7 +472,7 @@ class CI_Session_cookie extends CI_Session_driver { $row = $query->row(); if ( ! empty($row->user_data)) { - $custom_data = $this->_unserialize($row->user_data); + $custom_data = unserialize(trim($row->user_data)); if (is_array($custom_data)) { @@ -608,7 +608,7 @@ class CI_Session_cookie extends CI_Session_driver { if ( ! empty($userdata)) { // Serialize the custom data array so we can store it - $set['user_data'] = $this->_serialize($userdata); + $set['user_data'] = serialize($userdata); } // Reset query builder values. @@ -696,7 +696,7 @@ class CI_Session_cookie extends CI_Session_driver { : $this->userdata; // Serialize the userdata for the cookie - $cookie_data = $this->_serialize($cookie_data); + $cookie_data = serialize($cookie_data); if ($this->sess_encrypt_cookie === TRUE) { @@ -736,36 +736,6 @@ class CI_Session_cookie extends CI_Session_driver { // ------------------------------------------------------------------------ - /** - * Serialize an array - * - * This function serializes an array - * - * @param mixed Data to serialize - * @return string Serialized data - */ - protected function _serialize($data) - { - return serialize($data); - } - - // ------------------------------------------------------------------------ - - /** - * Unserialize - * - * This function unserializes a data string - * - * @param mixed Data to unserialize - * @return mixed Unserialized data - */ - protected function _unserialize($data) - { - return @unserialize(trim($data)); - } - - // ------------------------------------------------------------------------ - /** * Garbage collection * -- cgit v1.2.3-24-g4f1b From bfb635b276d880336db795f1a603de66ccfc80f6 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 8 Jan 2014 18:32:05 +0200 Subject: Make newline standardization configurable Added ['standardize_newlines'] Also altered the Session cookie driver, which experienced issues with this feature due to it's HMAC verification failing after the Input class alters newlines in non-encrypted session cookies. Supersedes PR #2470 --- .../libraries/Session/drivers/Session_cookie.php | 25 +++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) (limited to 'system/libraries/Session/drivers/Session_cookie.php') diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index dc75d8e8e..65debcb44 100644 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -165,6 +165,8 @@ class CI_Session_cookie extends CI_Session_driver { */ public $now; + // ------------------------------------------------------------------------ + /** * Default userdata keys * @@ -184,6 +186,15 @@ class CI_Session_cookie extends CI_Session_driver { */ protected $data_dirty = FALSE; + /** + * Standardize newlines flag + * + * @var bool + */ + protected $_standardize_newlines; + + // ------------------------------------------------------------------------ + /** * Initialize session driver object * @@ -209,9 +220,11 @@ class CI_Session_cookie extends CI_Session_driver { 'sess_time_to_update', 'time_reference', 'cookie_prefix', - 'encryption_key' + 'encryption_key', ); + $this->_standardize_newlines = (bool) $config['standardize_newlines']; + foreach ($prefs as $key) { $this->$key = isset($this->_parent->params[$key]) @@ -695,6 +708,16 @@ class CI_Session_cookie extends CI_Session_driver { ? array_intersect_key($this->userdata, $this->defaults) : $this->userdata; + // The Input class will do this and since we use HMAC verification, + // unless we standardize here as well, the hash won't match. + if ($this->_standardize_newlines) + { + foreach (array_keys($this->userdata) as $key) + { + $this->userdata[$key] = preg_replace('/(?:\r\n|[\r\n])/', PHP_EOL, $this->userdata[$key]); + } + } + // Serialize the userdata for the cookie $cookie_data = serialize($cookie_data); -- cgit v1.2.3-24-g4f1b From 4ea76cc2216b19bfae38dbbfe7104c21ee278d81 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 8 Jan 2014 21:49:23 +0200 Subject: Fix 2 errors caused by recent commits --- system/libraries/Session/drivers/Session_cookie.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/libraries/Session/drivers/Session_cookie.php') diff --git a/system/libraries/Session/drivers/Session_cookie.php b/system/libraries/Session/drivers/Session_cookie.php index 65debcb44..971dfeabe 100644 --- a/system/libraries/Session/drivers/Session_cookie.php +++ b/system/libraries/Session/drivers/Session_cookie.php @@ -223,7 +223,7 @@ class CI_Session_cookie extends CI_Session_driver { 'encryption_key', ); - $this->_standardize_newlines = (bool) $config['standardize_newlines']; + $this->_standardize_newlines = (bool) config_item('standardize_newlines'); foreach ($prefs as $key) { -- cgit v1.2.3-24-g4f1b