fix: correct IP cast bug in update_session causing login failure#528
fix: correct IP cast bug in update_session causing login failure#528darknoon29 merged 1 commit intodevelopfrom
Conversation
The user_ip parameter was cast to bool before being used in the SQL WHERE clause, causing the UPDATE to filter on session_ip = '1' instead of the actual IP address. As a result, no row was updated, user_id remained 0, and the subsequent session lookup returned no authenticated user (Unidentified visitor). Fix: remove the erroneous bool cast and escape the IP string only when it is actually provided (not false).
|
There was a problem hiding this comment.
Pull request overview
Fixes a login failure where sessions were not being updated due to an incorrect boolean cast of the IP address in Sessions_Model::update_session(), preventing the UPDATE ... WHERE session_ip = ... clause from matching the real session row.
Changes:
- Removed the erroneous
(bool)cast on$user_ipinupdate_session(). - Updated the IP filter logic to only append the
session_ippredicate when$user_ipis explicitly provided (!== false), and to escape it before use.
| $request = "UPDATE " . TABLE_SESSIONS . " SET `user_id` = " . $user_id . ", `session_lastvisit` = " . $lastvisit . " WHERE `id` = '" . $cookie_id . "'"; | ||
| if ($user_ip) { | ||
| if ($user_ip !== false) { | ||
| $user_ip = $this->db->sql_escape_string($user_ip); | ||
| $request .= " and `session_ip` = '" . $user_ip . "'"; | ||
| } |
There was a problem hiding this comment.
Add PHPUnit coverage for this bugfix (e.g., assert that when an IP string is provided, update_session() builds the UPDATE with session_ip = '<escaped ip>' and does not coerce it to a boolean). The repo already has unit tests for other models with mocked DBs, but there is no regression test ensuring session updates match the correct IP, so this could silently break again.
Problem
After resetting a user's password directly in the database, login was failing with "Unidentified visitor" even though authentication logs showed the password verification succeeded.
Root Cause
In
Sessions_Model::update_session(), the$user_ipparameter was cast toboolbefore being used in the SQLWHEREclause:This caused the
UPDATEto match zero rows, leavinguser_id = 0in the session. The subsequentSELECTinselect_user_data_session()then found the session row but with no linked user → "Unidentified visitor".Fix
Removed the erroneous
(bool)cast. The IP string is now properly escaped withsql_escape_string()only when it is actually provided (i.e. notfalse).Files Changed
model/Sessions_Model.php—update_session()