This one had me scratching my head for hours.
You can set a session variable to a value using this:
Session::set($name, $value);
This will set the session variable of name $name to $value. Now, if $name is passed in as a NULL, the $value will obliterate the whole session array, so all session variables will disappear.
Worse than that, if $value is not an array, then it will break any further attempt to set or get any session variables until the session is "reset" using this statement:
Session::set(NULL, array());
I think there needs to be some stricter protection in this method, to ensure the session variable array is not corrupted. If NULL is to be supported as a name, then when it is NULL, Session:set() needs to be very sure the $value passed in is an associative array, otherwise sessions for that user breaks big time until they clear their cookies so a new session can be started.
I found this by accident while coding, and accidents do happen.
Sorry if this is not the appropriate place to report this, but I still have not found anywhere else to report bugs.
I think this is related to the code change, where the Arr class is now used to get and set values. For Arr, this is expected behaviour, but I understand this shouldn't be the case for Session.
Bugs can be reported on github per repository, in this case http://github.com/fuel/core/issues.
I just pushed a fix for this.
Yes, the session was passing the value through to the Arr class, and it was the Arr class raising the fatal exception.
The Session::set() method needs to either throw out NULL if passed as the name, or ensure value is an associative array before using it to *replace* the associative array that the session values are stored in. I understand supporting NULL to allow the complete session array to be written may well be intended behaviour.
I also appreciate there is a further layer of drivers between the session and the Arr class, which may have their own way of handling a NULL name that is beyond my understanding.
-- Jason
For Arr it is, for session it isn't. Arr uses the null value to do some replacing using the passed value, which is undesired behaviour for Sessions.
I've now blocked $name = null from updating the session data.
Donate
