This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

General Questions /

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

Bug in Session destroy when using domain cookies

2 Posts 3280 Views

jsantos81

Community Member, 3 Posts

12 November 2011 at 11:58pm

Edited: 12/11/2011 11:58pm

Hi,

I am using Silverstripe 2.4.6 and I found a bug when calling the method destroy from Session class. In fact, this method works fine if the PHP Session is not assigned to a specific domain. However, when it occurs, the PHPSESSID is not cleaned as expected.

Analyzing the source code, I realized that, when creating the session, Silverstripe is considering the domain and path.

	public static function start($sid = null) {
		self::load_config();
		$path = self::get_cookie_path();
		$domain = self::get_cookie_domain();
		$secure = self::get_cookie_secure();

		if(!session_id() && !headers_sent()) {
			if($domain) {
				session_set_cookie_params(self::$timeout, $path, $domain, $secure /* secure */, true /* httponly */);
			} else {
				session_set_cookie_params(self::$timeout, $path, null, $secure /* secure */, true /* httponly */);
			}

However, the same does not happen in destroy method

	public static function destroy($removeCookie = true) {
		if(session_id()) {
			if($removeCookie) {
				setcookie(session_name(), '');
				unset($_COOKIE[session_name()]);
			}
			session_destroy();
		}

The result is that, when creating the cookie, the server send this header:
Set-Cookie: PHPSESSID=an0918hnjouo8j027c4on7dju1; path=/; domain=.myDomain.com; HttpOnly

but when destroying, it is sent a part of this information
Set-Cookie: PHPSESSID=deleted; expires=Fri, 12-Nov-2010 10:42:28 GMT

My suggestion to fix this issue:

	public static function destroy($removeCookie = true) {
		if(session_id()) {
			if($removeCookie) {
                                $path = self::get_cookie_path();
                                $domain = self::get_cookie_domain();
                                $secure = self::get_cookie_secure();
                                
                                if($domain) {
                                    setcookie(session_name(), '', null, $path, $domain, $secure, true);
                                }
                                else {
                                    setcookie(session_name(), '', null, $path, null, $secure, true);
                                }
				unset($_COOKIE[session_name()]);
			}
			session_destroy();
		}
	}

Thanks
João Santos

Willr

Forum Moderator, 5523 Posts

13 November 2011 at 1:51pm

João, please submit bugs to open.silverstripe.org or patches to the github account as pull requests. That way they won't get lost on the forum and the core devs can review your work!

Cheers,

Return to top