Commit b37c966a authored by Taylor Otwell's avatar Taylor Otwell

improve session ID assignment to avoid possible overlaps.

Signed-off-by: 's avatarTaylor Otwell <taylorotwell@gmail.com>
parent e4c03aab
<?php namespace Laravel\Session\Drivers; <?php namespace Laravel\Session\Drivers;
class APC implements Driver { class APC extends Driver {
/** /**
* The APC cache driver instance. * The APC cache driver instance.
......
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
use Laravel\Crypter; use Laravel\Crypter;
class Cookie implements Driver { class Cookie extends Driver {
/** /**
* The name of the cookie used to store the session payload. * The name of the cookie used to store the session payload.
......
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
use Laravel\Config; use Laravel\Config;
use Laravel\Database\Connection; use Laravel\Database\Connection;
class Database implements Driver, Sweeper { class Database extends Driver implements Sweeper {
/** /**
* The database connection. * The database connection.
......
<?php namespace Laravel\Session\Drivers; <?php namespace Laravel\Session\Drivers; use Laravel\Config, Laravel\Str;
interface Driver { abstract class Driver {
/** /**
* Load a session from storage by a given ID. * Load a session from storage by a given ID.
...@@ -10,7 +10,7 @@ interface Driver { ...@@ -10,7 +10,7 @@ interface Driver {
* @param string $id * @param string $id
* @return array * @return array
*/ */
public function load($id); abstract public function load($id);
/** /**
* Save a given session to storage. * Save a given session to storage.
...@@ -20,7 +20,7 @@ interface Driver { ...@@ -20,7 +20,7 @@ interface Driver {
* @param bool $exists * @param bool $exists
* @return void * @return void
*/ */
public function save($session, $config, $exists); abstract public function save($session, $config, $exists);
/** /**
* Delete a session from storage by a given ID. * Delete a session from storage by a given ID.
...@@ -28,6 +28,43 @@ interface Driver { ...@@ -28,6 +28,43 @@ interface Driver {
* @param string $id * @param string $id
* @return void * @return void
*/ */
public function delete($id); abstract public function delete($id);
/**
* Insert a fresh session and return the payload array.
*
* @return array
*/
public function fresh()
{
// We will simply generate an empty session payload array, using an ID
// that is not currently assigned to any existing session within the
// application and return it to the driver.
return array('id' => $this->id(), 'data' => array(
':new:' => array(),
':old:' => array(),
));
}
/**
* Get a new session ID that isn't assigned to any current session.
*
* @return string
*/
public function id()
{
$session = array();
// We'll containue generating random IDs until we find an ID that is
// not currently assigned to a session. This is almost definitely
// going to happen on the first iteration.
do {
$session = $this->load($id = Str::random(40));
} while ( ! is_null($session));
return $id;
}
} }
\ No newline at end of file
<?php namespace Laravel\Session\Drivers; <?php namespace Laravel\Session\Drivers;
class File implements Driver, Sweeper { class File extends Driver implements Sweeper {
/** /**
* The path to which the session files should be written. * The path to which the session files should be written.
......
<?php namespace Laravel\Session\Drivers; <?php namespace Laravel\Session\Drivers;
class Memcached implements Driver { class Memcached extends Driver {
/** /**
* The Memcache cache driver instance. * The Memcache cache driver instance.
......
<?php namespace Laravel\Session\Drivers; <?php namespace Laravel\Session\Drivers;
class Redis implements Driver { class Redis extends Driver {
/** /**
* The Redis cache driver instance. * The Redis cache driver instance.
......
...@@ -54,22 +54,17 @@ class Payload { ...@@ -54,22 +54,17 @@ class Payload {
// If the session doesn't exist or is invalid we will create a new session // If the session doesn't exist or is invalid we will create a new session
// array and mark the session as being non-existent. Some drivers, such as // array and mark the session as being non-existent. Some drivers, such as
// the database driver, need to know whether the session exists in storage // the database driver, need to know whether it exists.
// so they can know whether to insert or update the session.
if (is_null($this->session) or static::expired($this->session)) if (is_null($this->session) or static::expired($this->session))
{ {
$this->exists = false; $this->exists = false;
$this->session = array('id' => Str::random(40), 'data' => array( $this->session = $this->driver->fresh();
':new:' => array(),
':old:' => array(),
));
} }
// A CSRF token is stored in every session. The token is used by the Form // A CSRF token is stored in every session. The token is used by the Form
// class and the "csrf" filter to protect the application from cross-site // class and the "csrf" filter to protect the application from cross-site
// request forgery attacks. The token is simply a long, random string // request forgery attacks. The token is simply a random string.
// which should be posted with each request to the application.
if ( ! $this->has(Session::csrf_token)) if ( ! $this->has(Session::csrf_token))
{ {
$this->put(Session::csrf_token, Str::random(40)); $this->put(Session::csrf_token, Str::random(40));
...@@ -125,8 +120,7 @@ class Payload { ...@@ -125,8 +120,7 @@ class Payload {
// We check for the item in the general session data first, and if it // We check for the item in the general session data first, and if it
// does not exist in that data, we will attempt to find it in the new // does not exist in that data, we will attempt to find it in the new
// and old flash data. If none of those arrays contain the requested // and old flash data, or finally return the default value.
// item, we will just return the default value.
if ( ! is_null($value = array_get($session, $key))) if ( ! is_null($value = array_get($session, $key)))
{ {
return $value; return $value;
...@@ -247,7 +241,7 @@ class Payload { ...@@ -247,7 +241,7 @@ class Payload {
*/ */
public function regenerate() public function regenerate()
{ {
$this->session['id'] = Str::random(40); $this->session['id'] = $this->driver->id();
$this->exists = false; $this->exists = false;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment