Skip to content

Commit

Permalink
Removes encryption and decryption, adds some error handling
Browse files Browse the repository at this point in the history 
Removes encryption and decryption from SessionCookie.  The encryption
and decrption will be handled elsewhere and can be enabled or disabled
via the cookies.encrypt config setting.

This fixes flash messaging/SessionCookie decoding failure when
cookies.encrypt = true
  • Loading branch information
@jeremykendall
jeremykendall committed Sep 19, 2013
1 parent 2be864c commit f16cfd6
Show file tree
Hide file tree
Showing 2 changed files with 395 additions and 33 deletions.
58 changes: 32 additions & 26 deletions Slim/Middleware/SessionCookie.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,15 +40,11 @@
* and instead serializes/unserializes the $_SESSION global
* variable to/from an HTTP cookie.
*
* If a secret key is provided with this middleware, the HTTP
* cookie will be checked for integrity to ensure the client-side
* cookie is not changed.
*
* You should NEVER store sensitive data in a client-side cookie
* in any format, encrypted or not. If you need to store sensitive
* user information in a session, you should rely on PHP's native
* session implementation, or use other middleware to store
* session data in a database or alternative server-side cache.
* in any format, encrypted (with cookies.encrypt) or not. If you
* need to store sensitive user information in a session, you should
* rely on PHP's native session implementation, or use other middleware
* to store session data in a database or alternative server-side cache.
*
* Because this class stores serialized session data in an HTTP cookie,
* you are inherently limited to 4 Kb. If you attempt to store
Expand Down Expand Up @@ -79,9 +75,6 @@ public function __construct($settings = array())
'secure' => false,
'httponly' => false,
'name' => 'slim_session',
'secret' => 'CHANGE_ME',
'cipher' => MCRYPT_RIJNDAEL_256,
'cipher_mode' => MCRYPT_MODE_CBC
);
$this->settings = array_merge($defaults, $settings);
if (is_string($this->settings['expires'])) {
Expand Down Expand Up @@ -127,14 +120,14 @@ protected function loadSession()
session_start();
}

$value = \Slim\Http\Util::decodeSecureCookie(
$this->app->request()->cookies($this->settings['name']),
$this->settings['secret'],
$this->settings['cipher'],
$this->settings['cipher_mode']
);
$value = $this->app->getCookie($this->settings['name']);

if ($value) {
$_SESSION = unserialize($value);
try {
$_SESSION = unserialize($value);
} catch (\Exception $e) {
$this->app->getLog()->error('Error unserializing session cookie value! ' . $e->getMessage());
}
} else {
$_SESSION = array();
}
Expand All @@ -145,17 +138,12 @@ protected function loadSession()
*/
protected function saveSession()
{
$value = \Slim\Http\Util::encodeSecureCookie(
serialize($_SESSION),
$this->settings['expires'],
$this->settings['secret'],
$this->settings['cipher'],
$this->settings['cipher_mode']
);
$value = serialize($_SESSION);

if (strlen($value) > 4096) {
$this->app->getLog()->error('WARNING! Slim\Middleware\SessionCookie data size is larger than 4KB. Content save failed.');
} else {
$this->app->response()->setCookie(
$this->app->setCookie(
$this->settings['name'],
array(
'value' => $value,
Expand All @@ -174,31 +162,49 @@ protected function saveSession()
* Session Handler
*******************************************************************************/

/**
* @codeCoverageIgnore
*/
public function open($savePath, $sessionName)
{
return true;
}

/**
* @codeCoverageIgnore
*/
public function close()
{
return true;
}

/**
* @codeCoverageIgnore
*/
public function read($id)
{
return '';
}

/**
* @codeCoverageIgnore
*/
public function write($id, $data)
{
return true;
}

/**
* @codeCoverageIgnore
*/
public function destroy($id)
{
return true;
}

/**
* @codeCoverageIgnore
*/
public function gc($maxlifetime)
{
return true;
Expand Down
Loading

0 comments on commit f16cfd6

Please sign in to comment.