php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #78054 session_decode should optionally return data rather than populate $_SESSION
Submitted: 2019-05-23 04:07 UTC Modified: 2019-05-23 04:09 UTC
From: phpbugs dot ooglek at 0sg dot net Assigned:
Status: Open Package: Session related
PHP Version: 7.3.5 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
43 - 11 = ?
Subscribe to this entry?

 
 [2019-05-23 04:07 UTC] phpbugs dot ooglek at 0sg dot net
Description:
------------
Storing sessions in a Database is great for high-availability and sharing sessions across multiple web hosts. 

However, when one wants to deeply inspect the session data, such as an administrator or an Admin Tool that displays all the information about a current session, there seems to be two options.

1. For a short time, hijack $_SESSION

$tmp = session_encode();
session_decode($data);
$sessdata = $_SESSION;
session_decode($tmp); 

This replaces the current users' $_SESSION with the decoded data until one has time to restore it. If it doesn't restore successfully, you've got a bad situation.

2. Write your own unserialize functions. Wikimedia had to. Yuck. ADODB had one that preg_match'd on a Pipe character, but that broke if the value contained pipes. Someone else wrote a recursive one that worked pretty well and took advantage of the fact that unserialize() will stop unserializing at the next pipe in the string. OK but is that guaranteed to keep working forever?

If session_decode() would be able to return the decoded session (FALSE on failure as it does now, but success gives you the array/object), then nobody would have to write or maintain code that may or may not be exactly how session_decode() works.

Additionally if people start writing their own handlers, yikes. 

session_decode_return() or something similar would be fine too if you don't want to overload session_decode().


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-23 04:09 UTC] phpbugs dot ooglek at 0sg dot net
The three supported options for session.serialize_handler are 

php
php_binary
php_serialize (5.5.4+ only)

If someone writes their own handler, they now have to expose some method for someone else to decode their serialized session data.

session_decode() already knows how to handle this, no special case handling necessary.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Dec 08 02:01:25 2019 UTC