Jump to:

21287 Posts in 5733 Topics by 2602 members

General Questions

SilverStripe Forums » General Questions » Bug in Session destroy when using domain cookies

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Howard, Sean, Ryan M., biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 397 Views
  • jsantos81
    Avatar
    Community Member
    3 Posts

    Bug in Session destroy when using domain cookies Link to this post

    12 November 2011 at 11:58pm Last edited: 12 November 2011 11:58pm

    Hi,

    I am using Silverstripe 2.4.6 and I found a bug when calling the method destroy from Session class. In fact, this method works fine if the PHP Session is not assigned to a specific domain. However, when it occurs, the PHPSESSID is not cleaned as expected.

    Analyzing the source code, I realized that, when creating the session, Silverstripe is considering the domain and path.

       public static function start($sid = null) {
          self::load_config();
          $path = self::get_cookie_path();
          $domain = self::get_cookie_domain();
          $secure = self::get_cookie_secure();

          if(!session_id() && !headers_sent()) {
             if($domain) {
                session_set_cookie_params(self::$timeout, $path, $domain, $secure /* secure */, true /* httponly */);
             } else {
                session_set_cookie_params(self::$timeout, $path, null, $secure /* secure */, true /* httponly */);
             }

    However, the same does not happen in destroy method

       public static function destroy($removeCookie = true) {
          if(session_id()) {
             if($removeCookie) {
                setcookie(session_name(), '');
                unset($_COOKIE[session_name()]);
             }
             session_destroy();
          }

    The result is that, when creating the cookie, the server send this header:
    Set-Cookie: PHPSESSID=an0918hnjouo8j027c4on7dju1; path=/; domain=.myDomain.com; HttpOnly

    but when destroying, it is sent a part of this information
    Set-Cookie: PHPSESSID=deleted; expires=Fri, 12-Nov-2010 10:42:28 GMT

    My suggestion to fix this issue:

       public static function destroy($removeCookie = true) {
          if(session_id()) {
             if($removeCookie) {
    $path = self::get_cookie_path();
    $domain = self::get_cookie_domain();
    $secure = self::get_cookie_secure();

    if($domain) {
    setcookie(session_name(), '', null, $path, $domain, $secure, true);
    }
    else {
    setcookie(session_name(), '', null, $path, null, $secure, true);
    }
                unset($_COOKIE[session_name()]);
             }
             session_destroy();
          }
       }

    Thanks
    João Santos

  • Willr
    Avatar
    Forum Moderator
    5163 Posts

    Re: Bug in Session destroy when using domain cookies Link to this post

    13 November 2011 at 1:51pm

    João, please submit bugs to open.silverstripe.org or patches to the github account as pull requests. That way they won't get lost on the forum and the core devs can review your work!

    Cheers,

    397 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.