Bug Report #4265
Possible bug in Kohana 3.2 Auth?
| Status: | Closed | Start date: | 09/18/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Isaiah DeRose-Wilson |
% Done: | 0% |
|
| Category: | - | |||
| Target version: | Kohana v3.x - v3.2.1 | |||
| Resolution: | invalid | Points: | 1 |
Description
I noticed some strange behaviour when I upgraded my site to Kohana 3.2 from 3.1.x. After logging into my application, my application still registered as not being logged in and upon inspecting the session data, there was no user data but just an empty Model_User object. I traced through the code and noticed that in the class defined as:
abstract class Kohana_Auththe complete_login function is defined as this:
protected function complete_login($user)
{
// Regenerate session_id
$this->_session->regenerate();// Store username in session
$this->_session->set($this->_config['session_key'], $user);return TRUE;
}On inspecting the type of the $user variable it turned out to be Model_User which struck me as odd because usually if you're going to keep a PHP object in the session you would usually perform some kind of serialisation to preserve the data, but with the code above, up until the point of saving in the session, the user data was intact, but after that all the data was lost.
I'm using PHP 5.3.4 on my local development computer and don't know if the PHP version has something to do with it. But I've changed that now to be this:
protected function complete_login($user)
{
// Regenerate session_id
$this->_session->regenerate();// Store username in session
$this->_session->set($this->_config['session_key'], $user->as_array());return TRUE;
}and convert the array data into a Model_User object when retrieving it to check for a logged in state. Now my login works as it did before!
This issue needs to be investigated and resolved for the next release of Kohana
History
Updated by Yori Kvitchko 7 months ago
I believe I know the cause of this and will be submitting a separate bug describing the issue shortly. Look for it under new issues for the Auth module, it will contain Security Concern in the name. It has to do with the fact that when the Model_User object is retrieved from the session, it is unserialized. When an object is unserialized it calls the __wakeup function which, in ORM, calls the reload() function causing it to reload the data with find(private_key). If the private key is somehow incorrectly stored or NULL, it won't reload correctly.
In your case, the issue sounds like an incorrect database/model configuration on what the private key is. I still believe the problems are caused by what I described though.
Updated by Isaiah DeRose-Wilson 7 months ago
- Status changed from New to Feedback
- Priority changed from High to Normal
Have you modified the Model_User class? It sounds like something is wrong with your code that is causing the serialisation fo the model to fail. Perhaps your primary key is different/wrong?
Updated by Newbie Fletcher 7 months ago
Actually I just upgraded from 3.1.x to 3.2, then I started having issues with the logged in state of my application with no other changes made.
My primary key is the same as it was in version 3.1.x, the auto increment id field of the user table.
I think the situation described by @Yori Kvitchko might be the cause of it. I'll have a look at his bug report / patch once he submits it.
Updated by Isaiah DeRose-Wilson 4 months ago
- Status changed from Feedback to Closed
- Resolution set to invalid
The user model is serialized and stored in the session. There is no security concern about the id getting changed because the cookie is signed. If someone edited the cookie to change the id the cookie would be rejected and the user would be logged out.
If you still think there is a problem here please re-open this issue and provide more details so we can figure out what is happening.