improve session ID assignment to avoid possible overlaps.

Signed-off-by: Taylor Otwell <taylorotwell@gmail.com>

improve session ID assignment to avoid possible overlaps.
Signed-off-by: Taylor Otwell <taylorotwell@gmail.com>
b37c966a · Taylor Otwell · e4c03aab · b37c966a · b37c966a · b37c966a
Commit b37c966a authored Feb 28, 2012 by Taylor Otwell
8 changed files
--- a/laravel/session/drivers/apc.php
+++ b/laravel/session/drivers/apc.php
 <?php namespace Laravel\Session\Drivers;

-class APC implements Driver {
+class APC extends Driver {

 	/**
 	 * The APC cache driver instance.

--- a/laravel/session/drivers/cookie.php
+++ b/laravel/session/drivers/cookie.php
@@ -2,7 +2,7 @@

 use Laravel\Crypter;

-class Cookie implements Driver {
+class Cookie extends Driver {

 	/**
 	 * The name of the cookie used to store the session payload.

--- a/laravel/session/drivers/database.php
+++ b/laravel/session/drivers/database.php
@@ -3,7 +3,7 @@
 use Laravel\Config;
 use Laravel\Database\Connection;

-class Database implements Driver, Sweeper {
+class Database extends Driver implements Sweeper {

 	/**
 	 * The database connection.

--- a/laravel/session/drivers/driver.php
+++ b/laravel/session/drivers/driver.php
-<?php namespace Laravel\Session\Drivers;
+<?php namespace Laravel\Session\Drivers; use Laravel\Config, Laravel\Str;

-interface Driver {
+abstract class Driver {

 	/**
 	 * Load a session from storage by a given ID.
@@ -10,7 +10,7 @@ interface Driver {
 	 * @param  string  $id
 	 * @return array
 	 */
-	public function load($id);
+	abstract public function load($id);

 	/**
 	 * Save a given session to storage.
@@ -20,7 +20,7 @@ interface Driver {
 	 * @param  bool   $exists
 	 * @return void
 	 */
-	public function save($session, $config, $exists);
+	abstract public function save($session, $config, $exists);

 	/**
 	 * Delete a session from storage by a given ID.
@@ -28,6 +28,43 @@ interface Driver {
 	 * @param  string  $id
 	 * @return void
 	 */
-	public function delete($id);
+	abstract public function delete($id);
+
+	/**
+	 * Insert a fresh session and return the payload array.
+	 *
+	 * @return array
+	 */
+	public function fresh()
+	{
+		// We will simply generate an empty session payload array, using an ID
+		// that is not currently assigned to any existing session within the
+		// application and return it to the driver.
+		return array('id' => $this->id(), 'data' => array(
+			':new:' => array(),
+			':old:' => array(),
+		));
+	}
+
+	/**
+	 * Get a new session ID that isn't assigned to any current session.
+	 *
+	 * @return string
+	 */
+	public function id()
+	{
+		$session = array();
+
+		// We'll containue generating random IDs until we find an ID that is
+		// not currently assigned to a session. This is almost definitely
+		// going to happen on the first iteration.
+		do {
+
+			$session = $this->load($id = Str::random(40));			
+
+		} while ( ! is_null($session));
+
+		return $id;
+	}

 }
\ No newline at end of file
--- a/laravel/session/drivers/file.php
+++ b/laravel/session/drivers/file.php
 <?php namespace Laravel\Session\Drivers;

-class File implements Driver, Sweeper {
+class File extends Driver implements Sweeper {

 	/**
 	 * The path to which the session files should be written.

--- a/laravel/session/drivers/memcached.php
+++ b/laravel/session/drivers/memcached.php
 <?php namespace Laravel\Session\Drivers;

-class Memcached implements Driver {
+class Memcached extends Driver {

 	/**
 	 * The Memcache cache driver instance.

--- a/laravel/session/drivers/redis.php
+++ b/laravel/session/drivers/redis.php
 <?php namespace Laravel\Session\Drivers;

-class Redis implements Driver {
+class Redis extends Driver {

 	/**
 	 * The Redis cache driver instance.

--- a/laravel/session/payload.php
+++ b/laravel/session/payload.php
@@ -54,22 +54,17 @@ class Payload {

 		// If the session doesn't exist or is invalid we will create a new session
 		// array and mark the session as being non-existent. Some drivers, such as
-		// the database driver, need to know whether the session exists in storage
-		// so they can know whether to insert or update the session.
+		// the database driver, need to know whether it exists.
 		if (is_null($this->session) or static::expired($this->session))
 		{
 			$this->exists = false;

-			$this->session = array('id' => Str::random(40), 'data' => array(
-				':new:' => array(),
-				':old:' => array(),
-			));
+			$this->session = $this->driver->fresh();
 		}

 		// A CSRF token is stored in every session. The token is used by the Form
 		// class and the "csrf" filter to protect the application from cross-site
-		// request forgery attacks. The token is simply a long, random string
-		// which should be posted with each request to the application.
+		// request forgery attacks. The token is simply a random string.
 		if ( ! $this->has(Session::csrf_token))
 		{
 			$this->put(Session::csrf_token, Str::random(40));
@@ -125,8 +120,7 @@ class Payload {

 		// We check for the item in the general session data first, and if it
 		// does not exist in that data, we will attempt to find it in the new
-		// and old flash data. If none of those arrays contain the requested
-		// item, we will just return the default value.
+		// and old flash data, or finally return the default value.
 		if ( ! is_null($value = array_get($session, $key)))
 		{
 			return $value;
@@ -247,7 +241,7 @@ class Payload {
 	 */
 	public function regenerate()
 	{
-		$this->session['id'] = Str::random(40);
+		$this->session['id'] = $this->driver->id();

 		$this->exists = false;
 	}