php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #43980 Difficult to unserialize session data in user session save function
Submitted: 2008-01-30 02:49 UTC Modified: 2013-08-21 02:13 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: rhm31 at cam dot ac dot uk Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: * OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2008-01-30 02:49 UTC] rhm31 at cam dot ac dot uk 
Description:
------------
A custom session handler has a save function, which is given an opaque piece of session data. No functions are provided to modify this data, even though this can be useful in some cases.

As a workaround, session_decode and session_encode can be used. However, there are some problems:
1. BUG:session_start() must be called in the save function; presumably because in the save handler the session is already closed.
2. HARD TO USE:The functions do not simply take a string and return an array or vise-versa; instead they work directly on the $_SESSION array. This means you cannot easily use them for generic purposes.

A function that implements decode_session below could be added to the standard library, and the existing functions deprecated, since this function subsumes them.
Also, a similar function for encode_session.


Reproduce code:
---------------
function decode_session($session_string)
{
	$current_session=session_encode();
	foreach($_SESSION as $key => $value)
	{
		unset($_SESSION[$key]);
	}
	session_decode($session_string);
	$restored_session = $_SESSION;
	foreach ($_SESSION as $key => $value){
		unset($_SESSION[$key]);
	}
	session_decode($current_session);
	return $restored_session;
}

Expected result:
----------------
The session_string to be decoded and returned as an array.

Actual result:
--------------
An empty array is returned with no error message when above function is called from a session save handler.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-17 00:47 UTC] jani@php.net 
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.
 [2008-03-17 15:12 UTC] rhm31 at cam dot ac dot uk 
From the documentation:

session_encode

(PHP 4, PHP 5)

session_encode ? Encodes the current session data as a string
Description
string session_encode ( void )

This signature is wrong, since it assumes you want to encode the current $_SESSION variable, but sometimes you don't want to and you want to encode something else.

This is not specific to PHP4 only.
 [2011-04-08 21:24 UTC] jani@php.net
-Package: Feature/Change Request +Package: Session related -Operating System: Linux +Operating System: * -PHP Version: 5 +PHP Version: *
 [2011-10-04 22:59 UTC] tklingenberg at lastflood dot net 
If you want to encode something else (e.g. an array with keys as variable names), you can just mimic the PHP session handler by:

<?php
$encoded = '';
foreach($array as $name => $value)
{
    $encoded .= $name.'|'.serialize($value);
}
?>

Ensure that the serialize handler as well as the session serialize handler is "PHP". Decoding is not that simple however, you would require a library https://github.com/ktomk/Serialized as of now.

To have another tool in the box, a decode/encode function pair with a parameter of type "variable" array (like $_SESSION) and a parameter type string with the name of the serialize handler would be useful, maybe even two function pairs, one for session (variable list) and one for the actual values (un/serialize) but I think this won't work for the serially encoded values out of the box, so you always need to unserialize all, which means instantiation of objects etc..
 [2012-03-31 03:27 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2012-03-31 03:27 UTC] yohgaki@php.net 
I think next release should have new handler encode with plain serialize and set 
it to default.

This will lead to BC problems certain users, but current implementation is legacy 
one for supporting global session variables.
 [2013-08-10 08:25 UTC] yohgaki@php.net 
Related To: Bug #65359
 [2013-08-21 02:13 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2013-08-21 02:13 UTC] yohgaki@php.net 
php_serialize will be available from PHP 5.5.4.

http://git.php.net/?p=php-
src.git;a=commit;h=c51f77fe83cea3a48d89423863e6916b77628e47
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Nov 01 02:00:01 2025 UTC