Bug: Session::stop() does not destroy Session #7501
Comments
|
To be honest, I don't understand why this method exists and implemented like this. User Guide:
Doc comment: CodeIgniter4/system/Session/Session.php Lines 274 to 281 in fb0583f Implementation: CodeIgniter4/system/Session/Session.php Lines 281 to 290 in fb0583f |
|
In the current implementation, the diff --git a/app/Config/Routes.php b/app/Config/Routes.php
index c251ec22c4..112271665c 100644
--- a/app/Config/Routes.php
+++ b/app/Config/Routes.php
@@ -19,7 +19,7 @@ $routes->set404Override();
// where controller filters or CSRF protection are bypassed.
// If you don't want to define all routes, please use the Auto Routing (Improved).
// Set `$autoRoutesImproved` to true in `app/Config/Feature.php` and set the following to true.
-// $routes->setAutoRoute(false);
+$routes->setAutoRoute(true);
/*
* --------------------------------------------------------------------
diff --git a/app/Controllers/Home.php b/app/Controllers/Home.php
index 7f867e95ff..2745406a20 100644
--- a/app/Controllers/Home.php
+++ b/app/Controllers/Home.php
@@ -6,6 +6,17 @@ class Home extends BaseController
{
public function index()
{
- return view('welcome_message');
+ $session = session();
+ $session->set('foo', 'bar');
+
+ d($session->get(), $_SESSION);
+ }
+
+ public function stop()
+ {
+ $session = session();
+ $session->stop();
+
+ d($session->get(), $_SESSION);
}
}Navigate to {
"Response Headers (446 B)": {
"headers": [
{
"name": "Cache-Control",
"value": "no-store, no-cache, must-revalidate"
},
{
"name": "Cache-Control",
"value": "no-store, max-age=0, no-cache"
},
{
"name": "Connection",
"value": "close"
},
{
"name": "Content-Type",
"value": "text/html; charset=UTF-8"
},
{
"name": "Date",
"value": "Tue, 16 May 2023 03:03:16 GMT"
},
{
"name": "Expires",
"value": "Thu, 19 Nov 1981 08:52:00 GMT"
},
{
"name": "Host",
"value": "localhost:8080"
},
{
"name": "Pragma",
"value": "no-cache"
},
{
"name": "Set-Cookie",
"value": "ci_session=91ikuem4clgojhueua4qunhm36be7ae1; expires=Tue, 16-May-2023 05:03:16 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax"
},
{
"name": "X-Powered-By",
"value": "PHP/8.1.18"
}
]
}
}Navigate to {
"Response Headers (446 B)": {
"headers": [
{
"name": "Cache-Control",
"value": "no-store, no-cache, must-revalidate"
},
{
"name": "Cache-Control",
"value": "no-store, max-age=0, no-cache"
},
{
"name": "Connection",
"value": "close"
},
{
"name": "Content-Type",
"value": "text/html; charset=UTF-8"
},
{
"name": "Date",
"value": "Tue, 16 May 2023 03:03:40 GMT"
},
{
"name": "Expires",
"value": "Thu, 19 Nov 1981 08:52:00 GMT"
},
{
"name": "Host",
"value": "localhost:8080"
},
{
"name": "Pragma",
"value": "no-cache"
},
{
"name": "Set-Cookie",
"value": "ci_session=iji741a2qesbj2m8in5j7tsjig3f6pq7; expires=Tue, 16-May-2023 05:03:40 GMT; Max-Age=7200; path=/; HttpOnly; SameSite=Lax"
},
{
"name": "X-Powered-By",
"value": "PHP/8.1.18"
}
]
}
} |
|
Looks like I added these years ago but I have no idea why, honestly. The PR makes it seem like a purely semantic thing. I could have sworn it was in the port from CI3, but turns out that's not the case. Seems my previous reasoning on why this existed was likely incorrect. In this case I think we should call it a bug, and simply make it an alias for What do you think @kenjis ? |
|
fd59180 says "Updating session library to have manual start and stop methods." Now no one knows why it was implemented that way, so it's not worth worrying about. In my opinion, I think the following is fine:
(3) is not directly relevant. So it will be starting with 4.4. Or if we really need a method to completely kill the session, // remove all session data
$_SESSION = [];
// delete the session cookie
setcookie(
$this->sessionCookieName,
session_id(),
[
'expires' => 1,
'path' => $this->cookie->getPath(),
'domain' => $this->cookie->getDomain(),
'secure' => $this->cookie->isSecure(),
'httponly' => true,
]
);
session_destroy();But the method name should not be |
|
I don't think we need something to completely kill the session, but a I agree with your plan. |
|
Okay, I will fix this bug. |
|
Sent PR #7503 |
kenjis
added
bug
kenjis
changed the title
The user guide incorrectly states that
->stop()destroys the session. It does not. In the implementation it updates the cookie to close the session ASAP and regenerates the session ID to protect against session fixation attacks. It does not destroy the session. The docblock there also incorrectly states that it destroys the session that should be removed.Stopping a session allows someone to close the session without losing any data that might be currently stored in the session.
Looks like this was incorrectly labeled in the docblock in #4771 .
See discussion on #592
The text was updated successfully, but these errors were encountered: