Topic: Strange behavior of unserialize($_COOKIE[$cookie_name])

Hello Guys!

This night i encountered some strange behavior of unserialize($_COOKIE[$cookie_name]), it just returned (bool)false.
So I took just the string in $_COOKIE[$cookie_name] and passed it to unserialize by hand and I got the correct result.
I was surprised - what is wrong!?
Finally i solved this strange behavior by using base64_encode/decode. I do not know if this is a real 'bug' - but i tink so.

Here is the patch:
http://familiehaeuser.de/files/base64.patch


-Chepra

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Moved to Troubleshooting, since it seems to work perfectly fine for everyone else

What version of PHP do you have?

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

I am using 5.2 -> works fine here for me.
But we are using 5.1.6 on the server, there it did not worked. hmm

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Interesting
I believe that's the version I have at home and it works fine for me hmm
Could you paste the cookie's value here?

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

a:2:{i:0;s:1:\"2\";i:1;s:32:\"af5a3a493403550749744b4bd55799d1\";}
This is the value.

Works fine for:
   unserialize("a:2:{i:0;s:1:\"2\";i:1;s:32:\"af5a3a493403550749744b4bd55799d1\";}")
but not for:
   unserialize('a:2:{i:0;s:1:\"2\";i:1;s:32:\"af5a3a493403550749744b4bd55799d1\";}')

If you use base64_encode/decode it does not matter which type of quote you use.

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

The question is, why are those values being escaped (magic_quotes_gpc is my guess) when we have this piece of code:

// Strip slashes from GET/POST/COOKIE (if magic_quotes_gpc is enabled)
if (get_magic_quotes_gpc())
{
    function stripslashes_array($array)
    {
        return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
    }

    $_GET = stripslashes_array($_GET);
    $_POST = stripslashes_array($_POST);
    $_COOKIE = stripslashes_array($_COOKIE);
}

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Okay. Than this is definitely not a bug.
I just missed this line of code in my implementation of the cookie check.

But still using base64 would be better in this case wink

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Well, PunBB 1.3 uses base64 instead of serialize wink

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Okay this is nice to hear.

But why you do not use Sessions?

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

1. Sessions aren't necessarily the best things for search engines: they usually end up with the ugly PHPSESSID URLs.
2. We're not really storing lots of information in the cookie: just a user ID and a password hash. If we were trying to store all the user data it would be a better idea to use sessions
3. Session cookies don't save when the browser closes/opens again, so people can't save their logins.

11 (edited by Chepra 2007-01-01 18:34)

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Smartys wrote:

1. Sessions aren't necessarily the best things for search engines: they usually end up with the ugly PHPSESSID URLs.

You can disable this.

Smartys wrote:

2. We're not really storing lots of information in the cookie: just a user ID and a password hash. If we were trying to store all the user data it would be a better idea to use sessions

Why not save more data in sessions?

Smartys wrote:

3. Session cookies don't save when the browser closes/opens again, so people can't save their logins.

You can change this behavior.
http://php.net/session_set_cookie_params() is your friend. smile

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

1. Only if you have access to php.ini or a host which allows you to modify PHP's settings via .htaccess. Not always possible.
2. Because we can't trust the data to be up to date or secure (especially in a shared hosting environment)
3. Fair enough wink

13

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Okay, let's leave it at that. smile

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Smartys wrote:

1. Only if you have access to php.ini or a host which allows you to modify PHP's settings via .htaccess. Not always possible.

More to it, almost every host using PHP as a cgi or fastcgi can't handle this. That's quite a large crowd.

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Chepra wrote:

Why not save more data in sessions?

Because it isn't good from a performance point of view. What you end up doing to solve the problem is to write your own session management code that usually stores session data in the database. Which is what we do already, so the point is mute smile The only benefit PunBB would have from sessions is that it would allow users to login with cookies disabled, BUT, in order to allow that, we would have to do URL based session ID propagation.

"Programming is like sex: one mistake and you have to support it for the rest of your life."