Strange behavior of unserialize($_COOKIE[$cookie_name])

Chepra · 2006-12-31 18:38

Chepra
Member
Offline

Registered: 2006-08-28
Posts: 12

Topic: Strange behavior of unserialize($_COOKIE[$cookie_name])

Hello Guys!

This night i encountered some strange behavior of unserialize($_COOKIE[$cookie_name]), it just returned (bool)false.
So I took just the string in $_COOKIE[$cookie_name] and passed it to unserialize by hand and I got the correct result.
I was surprised - what is wrong!?
Finally i solved this strange behavior by using base64_encode/decode. I do not know if this is a real 'bug' - but i tink so.

Here is the patch:
http://familiehaeuser.de/files/base64.patch

-Chepra

Smartys · 2007-01-01 00:55

Smartys
Former PunBB Developer
Offline

Registered: 2004-04-30
Posts: 7,844

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Moved to Troubleshooting, since it seems to work perfectly fine for everyone else

What version of PHP do you have?

Chepra · 2007-01-01 12:15

Chepra
Member
Offline

Registered: 2006-08-28
Posts: 12

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

I am using 5.2 -> works fine here for me.
But we are using 5.1.6 on the server, there it did not worked.

Smartys · 2007-01-01 13:18

Smartys
Former PunBB Developer
Offline

Registered: 2004-04-30
Posts: 7,844

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Interesting
I believe that's the version I have at home and it works fine for me
Could you paste the cookie's value here?

Chepra · 2007-01-01 14:07

Chepra
Member
Offline

Registered: 2006-08-28
Posts: 12

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

a:2:{i:0;s:1:\"2\";i:1;s:32:\"af5a3a493403550749744b4bd55799d1\";}
This is the value.

Works fine for:
unserialize("a:2:{i:0;s:1:\"2\";i:1;s:32:\"af5a3a493403550749744b4bd55799d1\";}")
but not for:
unserialize('a:2:{i:0;s:1:\"2\";i:1;s:32:\"af5a3a493403550749744b4bd55799d1\";}')

If you use base64_encode/decode it does not matter which type of quote you use.

Smartys · 2007-01-01 14:21

Smartys
Former PunBB Developer
Offline

Registered: 2004-04-30
Posts: 7,844

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

The question is, why are those values being escaped (magic_quotes_gpc is my guess) when we have this piece of code:

// Strip slashes from GET/POST/COOKIE (if magic_quotes_gpc is enabled)
if (get_magic_quotes_gpc())
{
    function stripslashes_array($array)
    {
        return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
    }

    $_GET = stripslashes_array($_GET);
    $_POST = stripslashes_array($_POST);
    $_COOKIE = stripslashes_array($_COOKIE);
}

Chepra · 2007-01-01 14:33

Chepra
Member
Offline

Registered: 2006-08-28
Posts: 12

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Okay. Than this is definitely not a bug.
I just missed this line of code in my implementation of the cookie check.

But still using base64 would be better in this case

Smartys · 2007-01-01 17:17

Smartys
Former PunBB Developer
Offline

Registered: 2004-04-30
Posts: 7,844

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Well, PunBB 1.3 uses base64 instead of serialize

Chepra · 2007-01-01 17:35

Chepra
Member
Offline

Registered: 2006-08-28
Posts: 12

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Okay this is nice to hear.

But why you do not use Sessions?

Smartys · 2007-01-01 17:43

Smartys
Former PunBB Developer
Offline

Registered: 2004-04-30
Posts: 7,844

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

1. Sessions aren't necessarily the best things for search engines: they usually end up with the ugly PHPSESSID URLs.
2. We're not really storing lots of information in the cookie: just a user ID and a password hash. If we were trying to store all the user data it would be a better idea to use sessions
3. Session cookies don't save when the browser closes/opens again, so people can't save their logins.

Chepra · 2007-01-01 18:34

Chepra
Member
Offline

Registered: 2006-08-28
Posts: 12

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Smartys wrote:

1. Sessions aren't necessarily the best things for search engines: they usually end up with the ugly PHPSESSID URLs.

You can disable this.

Smartys wrote:

2. We're not really storing lots of information in the cookie: just a user ID and a password hash. If we were trying to store all the user data it would be a better idea to use sessions

Why not save more data in sessions?

Smartys wrote:

3. Session cookies don't save when the browser closes/opens again, so people can't save their logins.

You can change this behavior.
http://php.net/session_set_cookie_params() is your friend.

Smartys · 2007-01-01 18:57

Smartys
Former PunBB Developer
Offline

Registered: 2004-04-30
Posts: 7,844

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

1. Only if you have access to php.ini or a host which allows you to modify PHP's settings via .htaccess. Not always possible.
2. Because we can't trust the data to be up to date or secure (especially in a shared hosting environment)
3. Fair enough

Chepra · 2007-01-01 19:31

Chepra
Member
Offline

Registered: 2006-08-28
Posts: 12

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Okay, let's leave it at that.

Jérémie · 2007-01-01 21:16

Jérémie
PunBB Donor
Offline

From: France
Registered: 2004-11-06
Posts: 695

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Smartys wrote:

1. Only if you have access to php.ini or a host which allows you to modify PHP's settings via .htaccess. Not always possible.

More to it, almost every host using PHP as a cgi or fastcgi can't handle this. That's quite a large crowd.

Jeu de rôle en ligne sur table virtuelle ⁂ Shadowrun France ⁂ Chez Blacky

Rickard · 2007-01-01 23:07

Rickard
PunBB Developer
Offline

From: 127.0.0.1
Registered: 2001-11-02
Posts: 9,167

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Chepra wrote:

Why not save more data in sessions?

Because it isn't good from a performance point of view. What you end up doing to solve the problem is to write your own session management code that usually stores session data in the database. Which is what we do already, so the point is mute The only benefit PunBB would have from sessions is that it would allow users to login with cookies disabled, BUT, in order to allow that, we would have to do URL based session ID propagation.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Strange behavior of unserialize($_COOKIE[$cookie_name])

Posts: 15

1 Topic by Chepra 2006-12-31 18:38

Topic: Strange behavior of unserialize($_COOKIE[$cookie_name])

2 Reply by Smartys 2007-01-01 00:55

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

3 Reply by Chepra 2007-01-01 12:15

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

4 Reply by Smartys 2007-01-01 13:18

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

5 Reply by Chepra 2007-01-01 14:07

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

6 Reply by Smartys 2007-01-01 14:21

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

7 Reply by Chepra 2007-01-01 14:33

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

8 Reply by Smartys 2007-01-01 17:17

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

9 Reply by Chepra 2007-01-01 17:35

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

10 Reply by Smartys 2007-01-01 17:43

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

11 Reply by Chepra 2007-01-01 18:34 (edited by Chepra 2007-01-01 18:34)

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

12 Reply by Smartys 2007-01-01 18:57

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

13 Reply by Chepra 2007-01-01 19:31

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

14 Reply by Jérémie 2007-01-01 21:16

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

15 Reply by Rickard 2007-01-01 23:07

Re: Strange behavior of unserialize($_COOKIE[$cookie_name])

Posts: 15