Session namespace pollution

Question

Session namespace pollution

Closed this issue 13 years ago · 4 comments

When a Zend_Session_Namespace instance already exists, it appears running a phpScenario experiment will clear the existing session.

Answer 1 · 2011-04-20T17:32:20.000Z

Curious, it only makes a call to session_id() and does no other session interactions. See Scenario_Identity_Provider_Session -- I suppose this could be made to check for ZF, but ZF's Zend_Session::getId() method also only calls session_id()... Calling it with no parameter does nothing but retrieve the current ID (which is then used as an identifier in your database), to the best of my knowledge.

The code follows the pattern on php.net's docs for session_id:

$a = session_id();
if ($a == '') session_start();

Except instead of starting a new session, it throws an exception. It should in no cases make any alterations to the session.

Your thoughts?

Answer 2 · 2011-04-20T17:54:40.000Z

Hi James,

sorry for throwing this short message at you. I found phpScenario to interfere with Zend_Form_Element_Hash, which allows for CSRF protection in a Zend_Form by storing a hash in a session. With phpScenario in place, the hash value is lost. I'll try to create a test case to illustrate the problem.

Thanks,
Bernd

Answer 3 · 2011-04-20T18:34:52.000Z

Okay, thanks for looking into this. Scenario makes no session interactions outside of just getting the ID of the already-established session... not sure how that could interfere with ZFE_Hash? Could be an issue with when/where the session is established? Are you following the recommended bootstrap method for ZF?

I seem to recall the hash element having some problems as well. Hrm.

Answer 4 · 2011-05-26T02:38:36.000Z

Bernd, mind if I close this? Haven't been able to reproduce the issue.