Skip to content

Update MysqlSession: strict session IDs, new internal implementation

Choose a tag to compare

View all tags
@acoulton acoulton released this 17 Feb 16:22
· 138 commits to 1.x since this release
v1.4.0
1e5a8c7
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

The updated hander solves a couple of edge cases where the session data could be written but not read if using the wrong hash. This would for example occur if an attacker attempted to overwrite and existing session, or if the hash salt changed during a user's session. The new handler uses strict session mode and custom handler logic to validate the session ID, including checking the hash, and issues a new session ID if it is invalid. The updated logic is also more performant at the database as sessions are only INSERTed on creation and subsequently UPDATEd, rather than the previous INSERT...ON DUPLICATE KEY UPDATE. **Note that ->initialise() now sets the session.use_strict_mode ini value as it is required for proper operation. This should be set anyway, and is only relevant to the handler (of which there can be only one) so this is not considered to be true global state or a breaking change.

Assets 2
Loading