merged branch mvrhov/pdo_sessstorage_fix (PR #2382)

Commits
-------

edfa29b session data needs to be encoded because it can contain non binary safe characters e.g null. Fixes #2067

Discussion
----------

session data needs to be encoded because it can contain non binary safe characters e.g null.

Bug fix: yes
Feature addition: no
Backwards compatibility break: yes
Symfony2 tests pass: yes
Fixes the following tickets: #2067

I'm marking this as a compatibility break because session table should be cleared and even if not cleared all currently logged in users will be logged out.

---------------------------------------------------------------------------

by mvrhov at 2011/10/11 12:52:25 -0700

P.S. I know there was a talk about doctrine based session storage but I cannot find this in core. It probably has the same problem.

---------------------------------------------------------------------------

by eventhorizonpl at 2011/10/11 14:34:08 -0700

Thanks for tracking down and fixing this issue!

Best regards,
Michal

---------------------------------------------------------------------------

by stof at 2011/10/11 16:24:18 -0700

@mvrhov The Doctrine based storage is only available in master, not in 2.0

src/Symfony/Component/HttpFoundation/SessionStorage/PdoSessionStorage.php

@@ -181,7 +181,7 @@ class PdoSessionStorage extends NativeSessionStorage
             $sessionRows = $stmt->fetchAll(\PDO::FETCH_NUM);
 
             if (count($sessionRows) == 1) {
-                return $sessionRows[0][0];
+                return base64_decode($sessionRows[0][0]);
             }
 
             // session does not exist, create it
@@ -217,9 +217,11 @@ class PdoSessionStorage extends NativeSessionStorage
             : "UPDATE $dbTable SET $dbDataCol = :data, $dbTimeCol = :time WHERE $dbIdCol = :id";
 
         try {
+            //session data can contain non binary safe characters so we need to encode it
+            $encoded = base64_encode($data);
             $stmt = $this->db->prepare($sql);
             $stmt->bindParam(':id', $id, \PDO::PARAM_STR);
-            $stmt->bindParam(':data', $data, \PDO::PARAM_STR);
+            $stmt->bindParam(':data', $encoded, \PDO::PARAM_STR);
             $stmt->bindValue(':time', time(), \PDO::PARAM_INT);
             $stmt->execute();
 
@@ -251,9 +253,11 @@ class PdoSessionStorage extends NativeSessionStorage
 
         $sql = "INSERT INTO $dbTable ($dbIdCol, $dbDataCol, $dbTimeCol) VALUES (:id, :data, :time)";
 
+        //session data can contain non binary safe characters so we need to encode it
+        $encoded = base64_encode($data);
         $stmt = $this->db->prepare($sql);
         $stmt->bindParam(':id', $id, \PDO::PARAM_STR);
-        $stmt->bindParam(':data', $data, \PDO::PARAM_STR);
+        $stmt->bindParam(':data', $encoded, \PDO::PARAM_STR);
         $stmt->bindValue(':time', time(), \PDO::PARAM_INT);
         $stmt->execute();