Login fails with pdo session storage on PostgreSql #2067
Comments
|
do you have any errors in postgresql logs? |
|
No, there were no errors. After calling "/login" action: execute pdo_stmt_00000001: SELECT sess_data FROM session WHERE sess_id = $1
parameters: $1 = 'b5qplnngm3ecc4tttvihecelo1'
execute pdo_stmt_00000002: INSERT INTO session (sess_id, sess_data, sess_time) VALUES ($1, $2, $3)
parameters: $1 = 'b5qplnngm3ecc4tttvihecelo1', $2 = '', $3 = '1315384577'
execute pdo_stmt_00000003: UPDATE session SET sess_data = $1, sess_time = $2 WHERE sess_id = $3
parameters: $1 = '_symfony2|a:3:{s:10:"attributes";a:0:{}s:7:"flashes";a:0:{}s:6:"locale";s:2:"en";}', $2 = '1315384577', $3 = 'b5qplnngm3ecc4tttvihecelo1'
execute pdo_stmt_00000001: SELECT sess_data FROM session WHERE sess_id = $1
parameters: $1 = 'b5qplnngm3ecc4tttvihecelo1'
execute pdo_stmt_00000002: UPDATE session SET sess_data = $1, sess_time = $2 WHERE sess_id = $3
parameters: $1 = '_symfony2|a:3:{s:10:"attributes";a:0:{}s:7:"flashes";a:0:{}s:6:"locale";s:2:"en";}', $2 = '1315384578', $3 = 'b5qplnngm3ecc4tttvihecelo1'Now there is 1 row in session table. After entering the correct username and password and than pressing login button: execute pdo_stmt_00000001: SELECT sess_data FROM session WHERE sess_id = $1
parameters: $1 = 'b5qplnngm3ecc4tttvihecelo1'
execute pdo_stmt_00000001: SELECT t0.id AS id1, t0.username AS username2, t0.password AS password3 FROM users t0 WHERE t0.username = $1
parameters: $1 = 'mtamas'
execute pdo_stmt_00000002: UPDATE session SET sess_data = $1, sess_time = $2 WHERE sess_id = $3
parameters: $1 = '_symfony2|a:3:{s:10:"attributes";a:1:{s:14:"_security_main";s:451:"C:74:"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":363:{a:3:{i:0;N;i:1;s:4:"main";i:2;s:323:"a:4:{i:0;O:22:"UserBundle\Entity\User":4:{s:5:"', $2 = '1315384693', $3 = 'r8s2c5p8npblbl0rq2dbicv026'
execute pdo_stmt_00000003: INSERT INTO session (sess_id, sess_data, sess_time) VALUES ($1, $2, $3)
parameters: $1 = 'r8s2c5p8npblbl0rq2dbicv026', $2 = '_symfony2|a:3:{s:10:"attributes";a:1:{s:14:"_security_main";s:451:"C:74:"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken":363:{a:3:{i:0;N;i:1;s:4:"main";i:2;s:323:"a:4:{i:0;O:22:"UserBundle\Entity\User":4:{s:5:"', $3 = '1315384693'
execute pdo_stmt_00000001: SELECT sess_data FROM session WHERE sess_id = $1
parameters: $1 = 'r8s2c5p8npblbl0rq2dbicv026'
execute pdo_stmt_00000002: UPDATE session SET sess_data = $1, sess_time = $2 WHERE sess_id = $3
parameters: $1 = '_symfony2|a:3:{s:10:"attributes";a:0:{}s:7:"flashes";a:0:{}s:6:"locale";s:2:"en";}', $2 = '1315384693', $3 = 'r8s2c5p8npblbl0rq2dbicv026'
execute pdo_stmt_00000001: SELECT sess_data FROM session WHERE sess_id = $1
parameters: $1 = 'r8s2c5p8npblbl0rq2dbicv026'
execute pdo_stmt_00000002: UPDATE session SET sess_data = $1, sess_time = $2 WHERE sess_id = $3
parameters: $1 = '_symfony2|a:3:{s:10:"attributes";a:0:{}s:7:"flashes";a:0:{}s:6:"locale";s:2:"en";}', $2 = '1315384693', $3 = 'r8s2c5p8npblbl0rq2dbicv026'Now there are 2 records in sessions table. |
|
Hi, It seems that I hit the same problem here. Any hint where to start looking for solution to the problem? Best regards, |
|
Symfony\Component\HttpFoundation\SessionStorage\PdoSessionStorage sessionWrite($id, $data) gets a different $data for MySQL and PostgreSQL. Here is $data for MySQL Here is $data for PostgreSQL array(1) { [0]=> array(1) $data for PostgreSQL appears to be incomplete. |
|
I've spent a couple of hours on this. Everything works if base64_encode the session data. Looking at the encoded session it seems, that there are some null characters in serialized session -> serialized data is not binary safe! blame that to PHP. |
|
Do you use a PHP version < 5.3.6 ? |
|
I'm using php PHP 5.3.8 |
|
No it's 5.3.8. And it won't work please read this http://www.postgresql.org/docs/8.3/interactive/libpq-exec.html#LIBPQ-EXEC-ESCAPE-STRING. on the postgresql side. Object's private members have the class name prepended to the member name; protected members have a '*' prepended to the member name. These prepended values have null bytes on either side. P.S. Let's add to this that some smart admin might have set up a igbinary as a default serializer and then everything falls apart. |
|
We had the same issue when storing profiles into the profiler. We have fixed it by base64 encoding after serialization ( |
|
Ok, PR coming. |
Commits ------- 0907111 session data needs to be encoded because it can contain non binary safe characters e.g null. Fixes #2067 Discussion ---------- session data needs to be encoded because it can contain non binary safe characters e.g null., part 2 Bug fix: yes Feature addition: no Backwards compatibility break: yes Symfony2 tests pass: yes Fixes the following tickets: #2067 I'm marking this as a compatibility break because session table should be cleared and even if not cleared all currently logged in users will be logged out. This is the fix for a same issue in DBAL session storage made against master. --------------------------------------------------------------------------- by schmittjoh at 2011/10/12 02:44:19 -0700 If I understand this correctly, only the PgSqlPlatform is affected by this. What do you think about adding an ``ìnstanceof PgSqlPlatform`` check? --------------------------------------------------------------------------- by mvrhov at 2011/10/12 03:47:52 -0700 It's the same for sqlite, it just happens that mysql escapes \0, so we can say it's driver dependent. The Drupal guys had the same issue http://drupal.org/node/690746 , they changed to column type to bytea for pgsql and for mysql to blob, also in Drupal report you can find that storing this into a session hash_file('md5', 'CHANGELOG.txt', TRUE) will trigger the similar problem in mysql. The other thing to consider is what I mentioned in original bugreport, e.g igbinary as default serializer for session data.
This PR was merged into the 2.6-dev branch. Discussion ---------- [HttpFoundation] enhance PdoSessionHandler | Q | A | ------------- | --- | Bug fix? | yes | New feature? | yes | BC breaks? | yes | Deprecations? | no | Tests pass? | yes | Fixed tickets | #5483, #2067, #2382, #9029 | License | MIT 0. [x] Continuation of locking implementation (#10908): Implement different locking strategies - `PdoSessionHandler::LOCK_TRANSACTIONAL` (default): Issues a real row lock but requires a transaction - `PdoSessionHandler::LOCK_ADVISORY`: app-level lock, safe as long as only the PdoSessionHandler accesses sessions, advantage is it does not require a transaction (not implemented for oracle or sqlsrv yet) - `PdoSessionHandler::LOCK_NONE`: basically what is was before, prone to race conditions, means the last session write wins 1. [x] Save session data as binary: Encoding session data was definitely the wrong solution. Session data is binary text (esp. when using other session.serialize_handler) that must stay as-is and thus must also be safed in a binary column. Base64 encoding session data just decreses performance and increases storage costs and is semantically wrong because it does not have a character encoding. That saving null bytes in Posgres won't work on a character column is also documented > First, binary strings specifically allow storing octets of value zero and other "non-printable" octets (usually, octets outside the range 32 to 126). Character strings disallow zero octets, and also disallow any other octet values and sequences of octet values that are invalid according to the database's selected character set encoding. http://www.postgresql.org/docs/9.1/static/datatype-binary.html#DATATYPE-BINARY-TABLE 2. [x] Implement lazy connections that are only opened when session is used by either passing a dsn string explicitly or falling back to session.save_path ini setting. Fixes #9029 3. [x] add a create table method that creates the correct table depending on database vendor. This makes the class self-documenting and standalone useable. 5. [x] add lifetime column to session table which allows to have different lifetimes for each session 6. [x] add isSessionExpired() method to be able to distinguish between a new session and one that expired due to inactivity, e.g. to display flash message to user 7. [x] added upgrade and changelog notes Commits ------- 1bc6680 [HttpFoundation] implement different locking strategies for sessions 6f5748e adjust sqlite table definition 5978fcf added upgrade and changelog notes for PdoSessionHandler 182a5d3 [HttpFoundation] add create table method to pdo session handler e79229d [HttpFoundation] allow different lifetime per session af1bb1f add test for null byte in session data 251238d [HttpFoundation] implement lazy connect for pdo session handler 7dad54c [HttpFoundation] remove base64 encoding of session data
Take an empty project.
Configure session handling to use pdo with postgresql.
Users coming from in_memory provider.
Login is handled by form_login.
Result:
When login form (/login) comes in for the first time, 1 session is created for the user.
After successful authentication, another session row is created in the session table and/but logged user is still anonymous.
With default (native) session handling everything is working fine.
With mysql the user is logged in, but gets a new session, instead of continuing with the existing one (is it normal?)
So the problem is that session handling with postgre it's unable to get the user logged in.
(the results were the same with using FOSUserBundle)
Symfony: 2.0.1
PHP: 5.3.3-7+squeeze3
Postgre: PostgreSQL 8.4.8
System: Linux dev 2.6.32-5-686 #1 SMP Mon Jun 13 04:13:06 UTC 2011 i686
The text was updated successfully, but these errors were encountered: