[HttpFoundation] Added possibility to disable base_64 encoding of session #5483
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…sion data in PdoSessionHandler This may be necessary when sharing sessions with legacy applications. Added a setting called 'base64_encode' to the configuration array. By default, the base_64 encoding stays enabled, so it does not break BC. Unit tests included.
| return base64_decode($sessionRows[0][0]); | ||
| if ($this->dbOptions['base64_encode']) { | ||
| return base64_decode($sessionRows[0][0]); | ||
| } else { |
There was a problem hiding this comment.
else statement does not needed here, leave just return
added 2 commits
September 10, 2012 13:44
|
As said in the code comments, not encoding the data is not safe. So, I'm -1 on this change. |
|
I agree with fabien. Save the raw data into the database is not safe. |
|
When PHP serializes the object with private or protected methods the \0 is put before the property name and this means, that the serialized string is not safe. |
7 tasks
5 tasks
fabpot
added a commit
that referenced
this pull request
Oct 3, 2014
This PR was merged into the 2.6-dev branch. Discussion ---------- [HttpFoundation] enhance PdoSessionHandler | Q | A | ------------- | --- | Bug fix? | yes | New feature? | yes | BC breaks? | yes | Deprecations? | no | Tests pass? | yes | Fixed tickets | #5483, #2067, #2382, #9029 | License | MIT 0. [x] Continuation of locking implementation (#10908): Implement different locking strategies - `PdoSessionHandler::LOCK_TRANSACTIONAL` (default): Issues a real row lock but requires a transaction - `PdoSessionHandler::LOCK_ADVISORY`: app-level lock, safe as long as only the PdoSessionHandler accesses sessions, advantage is it does not require a transaction (not implemented for oracle or sqlsrv yet) - `PdoSessionHandler::LOCK_NONE`: basically what is was before, prone to race conditions, means the last session write wins 1. [x] Save session data as binary: Encoding session data was definitely the wrong solution. Session data is binary text (esp. when using other session.serialize_handler) that must stay as-is and thus must also be safed in a binary column. Base64 encoding session data just decreses performance and increases storage costs and is semantically wrong because it does not have a character encoding. That saving null bytes in Posgres won't work on a character column is also documented > First, binary strings specifically allow storing octets of value zero and other "non-printable" octets (usually, octets outside the range 32 to 126). Character strings disallow zero octets, and also disallow any other octet values and sequences of octet values that are invalid according to the database's selected character set encoding. http://www.postgresql.org/docs/9.1/static/datatype-binary.html#DATATYPE-BINARY-TABLE 2. [x] Implement lazy connections that are only opened when session is used by either passing a dsn string explicitly or falling back to session.save_path ini setting. Fixes #9029 3. [x] add a create table method that creates the correct table depending on database vendor. This makes the class self-documenting and standalone useable. 5. [x] add lifetime column to session table which allows to have different lifetimes for each session 6. [x] add isSessionExpired() method to be able to distinguish between a new session and one that expired due to inactivity, e.g. to display flash message to user 7. [x] added upgrade and changelog notes Commits ------- 1bc6680 [HttpFoundation] implement different locking strategies for sessions 6f5748e adjust sqlite table definition 5978fcf added upgrade and changelog notes for PdoSessionHandler 182a5d3 [HttpFoundation] add create table method to pdo session handler e79229d [HttpFoundation] allow different lifetime per session af1bb1f add test for null byte in session data 251238d [HttpFoundation] implement lazy connect for pdo session handler 7dad54c [HttpFoundation] remove base64 encoding of session data
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This may be necessary when sharing sessions with legacy applications. Added a setting called 'base64_encode' to the configuration array. By default, the base_64 encoding stays enabled, so it does not break BC. Unit tests included.
Please let me know what kind of documentation would need to be updated.
Bug fix: no
Feature addition: yes
Backwards compatibility break: no
Symfony2 tests pass: yes
Todo: Update documentation
License of the code: MIT