Skip to content
This repository has been archived by the owner on Jan 31, 2020. It is now read-only.

Is SessionManager::isValid() works properly? #21

Closed
Stafox opened this issue Feb 3, 2016 · 1 comment
Closed

Is SessionManager::isValid() works properly? #21

Stafox opened this issue Feb 3, 2016 · 1 comment
Labels
awaiting author updates Needs tests

Comments

@Stafox
Copy link
Contributor

Stafox commented Feb 3, 2016

In according with session validation issue in zf1, I tried to reproduce the same issue in zf2.

Using cURL I send invalid session id
curl -X POST -H "Cookie: PHPSESSID=(null)" http://zf2project.local/
And I got a warning:
Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'

I debug the proccess and found that isValid() method returns true.
Could somebody explain me why no default validator (to validate session id) attached?

Maybe it has sense to add additional validation like zf1 did?

    $hashBitsPerChar = ini_get('session.hash_bits_per_character');
    if (!$hashBitsPerChar) {
        $hashBitsPerChar = 5; // the default value
    }
    switch($hashBitsPerChar) {
        case 4: $pattern = '^[0-9a-f]*$'; break;
        case 5: $pattern = '^[0-9a-v]*$'; break;
        case 6: $pattern = '^[0-9a-zA-Z-,]*$'; break;
    }
    return preg_match('#'.$pattern.'#', $id);

For example, create Zend\Session\Validator\Id, and attach it to SessionManager validator chain?
@Stafox Stafox mentioned this issue Feb 3, 2016
Closed
Stafox added a commit to Stafox/zend-session that referenced this issue Feb 4, 2016
@Stafox
Add session id validator to fix issue zendframework#21. Add options t…
a2614c2 
…o SessionManager
This was referenced Feb 4, 2016
Closed
Closed
weierophinney pushed a commit that referenced this issue Apr 11, 2016
@Stafox @weierophinney
Add session id validator to fix issue #21. Add options to SessionManager
dad12c6
@SvenRtbg
Copy link

This validation bites us. Essentially, we changed the session id configuration of PHP, and now this validation complains about old existing session ids which do not fit the currently configured scheme.

Old session IDs do exist, and they won't magically disappear. From what I've heard, mobile devices with web apps don't exit their browser, MacOS browsers are also "hard to exit", and like to keep their session cookies. Effectively we have to deal with a lot of users coming with old scheme session ids, and the only solution is to disable the session id validation again (because the PHP backend can deal with them with no problem).

The bad thing is: The change necessary to configure this is not documented. Nothing here: https://docs.zendframework.com/zend-session/manager/ The only hint is the changelog entry, which does not really explain the full array path necessary to configure it.

The better solution would be to validate the ID, but regenerate (or create - because regenerate comes in the context of an existing session with data to be preserved, which is not the case here) a new one if the old is found invalid.

@zendframework zendframework deleted a comment from SvenRtbg Mar 23, 2018
@sbani sbani mentioned this issue Jul 2, 2019
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
awaiting author updates Needs tests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@weierophinney @SvenRtbg @Stafox