Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
calling set_userdata() or unset_userdata() after session_destroy() throws PHP Warnings #2752
CI 2.1.4, PHP 5.3.27
If code is trying to set/unset session userdata after the session has been destroyed it causes PHP Warnings.
(While the above behavior is not proper nor recommended, it may be performed because there is not much opportunity to check if the session, and session key, exist.)
The CodeIgniter framework should at least be defensive and perform checks as to avoid throwing these PHP warnings when trying to access the reserved session keys (ip_address, last_activity, etc)
error_reporting(E_ALL); ini_set('display_errors', '1'); $this->load->library('session'); $this->session->sess_destroy(); // E_NOTICE Undefined index: ip_address in sess_write (Session.php:272) // ... // E_NOTICE Undefined index: last_activity in sess_write (Session.php:289) $this->session->set_userdata('foo', 'bar'); // E_NOTICE Undefined index: ip_address in sess_write (Session.php:272) // ... // E_NOTICE Undefined index: last_activity in sess_write (Session.php:289) $this->session->unset_userdata('foo');
Unfortunately, it takes us a non-trivial effort to pull and a CI base and migrate our base to work with it. I would simply copy over the Session.php file but the driver implementation makes me think that wouldn't work. If you have other ideas on how to backport the 3.0 Session.php file to 2.1.4 I'd be happy to test it for you.
Gotcha. A brief look makes me think that no, it is not fixed.
in 2.1.4, the following lines are not defensive (they assume $val and 'session_id' are existing keys in $this->userdata), so when the session is destroyed (and userdata emptied), and these lines are executed they throw the warnings listed above
// CI 2.1.4 Session.php // line 272 $cookie_userdata[$val] = $this->userdata[$val]; // line 288 $this->CI->db->where('session_id', $this->userdata['session_id']);
While not an apple:apple comparison, the 3.0-dev branch appears to be non-defensive in the same regard, some examples:
// CI 3.0-dev Session_cookie.php 4ea76cc221 // line 543 if ( ! $force && ($this->userdata['last_activity'] + $this->sess_time_to_update) >= $this->now) // line 552 $old_sessid = $this->userdata['session_id']; // line 582 'session_id' => $this->userdata['session_id'] // line 612 'last_activity' => $this->userdata['last_activity'], // line 633 $this->CI->db->where('session_id', $this->userdata['session_id']);
These lines don't say anything, I went through the code myself and don't see a reason for the notices to appear ... hence why I'm asking for confirmation from somebody who uses it.