Hi,
I dont know if this is the correct group, but anyway. As part of a school
project I decided to develop a solution to security in php sessions.
i've started playing with session.c (below) but whenever i call a script
with session_start() on it it doesnt load, but a session file is created on
the server (its empty)
i;ve included below the code i've editied. its from v4.3.9
Please help me...
cheers
------------------------------------------------------------------------------
static void php_session_initialize(TSRMLS_D)
{
char *vala;
int vallen;
if (!PS(mod)) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "No storage module chosen - failed
to initialize session.");
return;
}
/* Open session handler first */
if (PS(mod)->s_open(&PS(mod_data), PS(save_path), PS(session_name)
TSRMLS_CC) == FAILURE) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Failed to initialize storage
module: %s (path: %s)", PS(mod)->s_name, PS(save_path));
return;
}
/* If there is no ID, use session module to create one */
if (!PS(id))
PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
/* Read data */
/* Question: if you create a SID here, should you also try to read data?
* I'm not sure, but while not doing so will remove one session operation
* it could prove usefull for those sites which wish to have "default"
* session information
*/
//php_session_track_init(TSRMLS_C);
zval *session_vars = NULL;
/* Unconditionally destroy existing arrays -- possible dirty data */
zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"));
zend_hash_del(&EG(symbol_table), "_SESSION", sizeof("_SESSION"));
MAKE_STD_ZVAL(session_vars);
array_init(session_vars);
PS(http_session_vars) = session_vars;
ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1);
ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"),
PS(http_session_vars), 2, 1);
if (PS(mod)->s_read(&PS(mod_data), PS(id), &vala, &vallen TSRMLS_CC) ==
SUCCESS) {
char *secondline = (char *)calloc(sizeof(secondline), strlen(vala) + 1 );
char *val = (char *)calloc(sizeof(val), strlen(vala) + 1 );
sscanf(vala, "%s\n%s", val, secondline);
php_session_decode(val, vallen TSRMLS_CC);
efree(val);
efree(vala);
efree(secondline);
}
}
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
static void php_session_save_current_state(TSRMLS_D)
{
int ret = FAILURE;
IF_SESSION_VARS() {
if (PS(bug_compat) && !PG(register_globals)) {
HashTable *ht = Z_ARRVAL_P(PS(http_session_vars));
HashPosition pos;
zval **val;
int do_warn = 0;
zend_hash_internal_pointer_reset_ex(ht, &pos);
while (zend_hash_get_current_data_ex(ht,
(void **) &val, &pos) != FAILURE) {
if (Z_TYPE_PP(val) == IS_NULL) {
if (migrate_global(ht, &pos TSRMLS_CC))
do_warn = 1;
}
zend_hash_move_forward_ex(ht, &pos);
}
if (do_warn && PS(bug_compat_warn)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Your script possibly relies on
a session side-effect which existed until PHP 4.2.3. Please be advised that
the session extension does not consider global variables as a source of
data, unless register_globals is enabled. You can disable this functionality
and this warning by setting session.bug_compat_42 or session.bug_compat_warn
to off, respectively.");
}
}
if (PS(mod_data)) {
char *val;
int vallen;
val = php_session_encode(&vallen TSRMLS_CC);
char *sert_s_name = (char *)calloc(sizeof(char), (strlen(PS(session_name)) +
1));
char *sert_s_id = (char *)calloc(sizeof(char), (strlen(PS(id)) + 1));
char *sert;
char sert_s_space = '=';
strcpy(sert_s_name, PS(session_name));
strcpy(sert_s_id, PS(id));
sert = (char *)calloc(sizeof(char), (strlen(val) + strlen(sert_s_name) +
strlen(sert_s_id) + 1 + 2)); /* 1 is for tmp_s_space and 2 is for \r\n*/
sprintf(sert, "%s=%s;\n%s", sert_s_name, sert_s_id, val );
if (sert) {
ret = PS(mod)->s_write(&PS(mod_data), PS(id), sert, strlen(sert) TSRMLS_CC);
efree(sert);
efree(sert_s_name);
efree(sert_s_id);
efree(val);
} else {
ret = PS(mod)->s_write(&PS(mod_data), PS(id), "", 0 TSRMLS_CC);
}
}
if (ret == FAILURE)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to write session data
(%s). Please "
"verify that the current setting of session.save_path "
"is correct (%s)",
PS(mod)->s_name,
PS(save_path));
}
if (PS(mod_data))
PS(mod)->s_close(&PS(mod_data) TSRMLS_CC);
}
------------------------------------------------------------------------------------------------------------------------------------------------------------------
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
