Fixed a bug in the Session class when database sessions are used where upon session update all userdata would be errantly written to the session cookie.
Also rewrote a bit of the cookie handling code to be a bit more efficient and understandable
diff --git a/system/libraries/Session.php b/system/libraries/Session.php
index 7e50dce..4fe4497 100644
--- a/system/libraries/Session.php
+++ b/system/libraries/Session.php
@@ -252,16 +252,17 @@
return;
}
- // We need two copies of the session data array. One will contain any custom data
- // that might have been set. The other will contain the data that will be saved to the cookie
- $cookie_userdata = $this->userdata;
+ // set the custom userdata, the session data we will set in a second
$custom_userdata = $this->userdata;
-
+ $cookie_userdata = array();
+
// Before continuing, we need to determine if there is any custom data to deal with.
// Let's determine this by removing the default indexes to see if there's anything left in the array
+ // and set the session data while we're at it
foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
{
unset($custom_userdata[$val]);
+ $cookie_userdata[$val] = $this->userdata[$val];
}
// Did we find any custom data? If not, we turn the empty array into a string
@@ -271,14 +272,7 @@
$custom_userdata = '';
}
else
- {
- // Before we serialize the custom data array, let's remove that data from the
- // main session array since we do not want to save that info to the cookie
- foreach (array_keys($custom_userdata) as $val)
- {
- unset($cookie_userdata[$val]);
- }
-
+ {
// Serialize the custom data array so we can store it
$custom_userdata = serialize($custom_userdata);
}
@@ -365,14 +359,25 @@
$this->userdata['session_id'] = $new_sessid;
$this->userdata['last_activity'] = $this->now;
+ // _set_cookie() will handle this for us if we aren't using database sessions
+ // by pushing all userdata to the cookie.
+ $cookie_data = NULL;
+
// Update the session ID and last_activity field in the DB if needed
if ($this->sess_use_database === TRUE)
{
+ // set cookie explicitly to only have our session data
+ $cookie_data = array();
+ foreach (array('session_id','ip_address','user_agent','last_activity') as $val)
+ {
+ $cookie_data[$val] = $this->userdata[$val];
+ }
+
$this->CI->db->query($this->CI->db->update_string($this->sess_table_name, array('last_activity' => $this->now, 'session_id' => $new_sessid), array('session_id' => $old_sessid)));
}
// Write the cookie
- $this->_set_cookie();
+ $this->_set_cookie($cookie_data);
}
// --------------------------------------------------------------------
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 9cae52f..bad3d08 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -103,6 +103,7 @@
<li>Fixed a bug in the Email library with quoted-printable encoding improperly encoding space and tab characters.</li>
<li>Modified XSS sanitization to no longer add semicolons after &[single letter], such as in M&M's, B&B, etc.</li>
<li>Modified XSS sanitization to no longer strip XHTML image tags of closing slashes.</li>
+ <li>Fixed a bug in the Session class when database sessions are used where upon session update all userdata would be errantly written to the session cookie.</li>
</ul>
<h2>Version 1.6.3</h2>