Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0.6.2 #86

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

0.6.2 #86

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ba28242
Fix sessionStart to follow PHP and respect session.use_strict_mode
ouuan Sep 13, 2023
ad2fa7d
Merge commit from fork
joanhey Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 36 additions & 6 deletions src/Http.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,18 +394,40 @@ public static function sessionStarted(): bool
public static function sessionStart(): bool
{
if (static::$sessionStarted) {
trigger_error('session_start(): Ignoring session_start() because a session is already active', E_USER_NOTICE);
return true;
}
static::$sessionStarted = true;

$should_regenerate = ! isset($_COOKIE[static::$sessionName]) || empty($_COOKIE[static::$sessionName]);
if (! $should_regenerate) {
// https://www.php.net/manual/session.configuration.php#ini.session.use-strict-mode
$strict = \ini_get('session.use_strict_mode') == '1';
if (static::sessionValidateId($_COOKIE[static::$sessionName])) {
static::$sessionFile = static::$sessionSavePath . '/ses_' . $_COOKIE[static::$sessionName];
$session_file_exists = \is_file(static::$sessionFile);
if ($strict) {
$should_regenerate = ! $session_file_exists;
}
} else {
if ($strict) {
$should_regenerate = true;
} else {
trigger_error('session_start(): Session ID is too long or contains illegal characters. Only the A-Z, a-z, and 0-9 characters are allowed', E_USER_WARNING);
return static::$sessionStarted = false;
}
}
}

// Generate a SID.
if (!isset($_COOKIE[static::$sessionName]) || !\is_file(static::$sessionSavePath . '/ses_' . $_COOKIE[static::$sessionName])) {
if ($should_regenerate) {
// Create a unique session_id and the associated file name.
while (true) {
$session_id = static::sessionCreateId();
if (!\is_file($file_name = static::$sessionSavePath . '/ses_' . $session_id)) break;
}
static::$sessionFile = $file_name;
return static::setcookie(
return static::$sessionStarted = static::setcookie(
static::$sessionName
, $session_id
, static::$sessionCookieLifetime
Expand All @@ -415,11 +437,8 @@ public static function sessionStart(): bool
, static::$sessionCookieHttponly
);
}
if (!static::$sessionFile) {
static::$sessionFile = static::$sessionSavePath . '/ses_' . $_COOKIE[static::$sessionName];
}
// Read session from session file.
if (static::$sessionFile) {
if ($session_file_exists) {
$raw = \file_get_contents(static::$sessionFile);
if ($raw) {
$_SESSION = \unserialize($raw);
Expand All @@ -428,6 +447,17 @@ public static function sessionStart(): bool
return true;
}

/**
* Check whether a session ID is valid.
*
* @return bool
*/
protected static function sessionValidateId(string $session_id): bool
{
// Limit the file name (ses_$session_id) length to 255 characters
return \strlen($session_id) <= 251 && \ctype_alnum($session_id);
}

/**
* Save session.
* @return bool
Expand Down