Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decoding base64 and serialization in laravel session issue #20

Open
diselostudio opened this issue Feb 12, 2025 · 1 comment
Open

Decoding base64 and serialization in laravel session issue #20

diselostudio opened this issue Feb 12, 2025 · 1 comment

Comments

@diselostudio
Copy link

Hi there 👋 !

On a fresh setup with Laravel 11, php8.4 and Inertia-vue I had an issue with my csrf token being regenerated on every page visit, making the crsf token validation fail (not matching cookie<->db payload token) and receiving a 419 on every non GET submission.

Why? When retrieving the session from DB, the handler decodes both the serialized id and payload as base64, resulting in weird behavior. This decoding is already addressed by Laravel's session Store.

See a session properly stored in Turso

Image

Then on a subsequent request, Laravel starts session and retrieves it from handler :

https://github.com/laravel/framework/blob/d95f6a5dcb19403269eaa2df459b70944c1c9d4f/src/Illuminate/Session/Store.php#L110-L130

At handler level, session payload is base64 decoded

https://github.com/laravel/framework/blob/d95f6a5dcb19403269eaa2df459b70944c1c9d4f/src/Illuminate/Session/DatabaseSessionHandler.php#L90-L112

At this point session payload values have already been double decoded by LibsqlStatement query:

libsql-laravel/src/Database/LibsqlStatement.php

Lines 81 to 82 in 2a6c6d9

$result = $this->statement->query()->fetchArray();
$rows = decodeDoubleBase64($result);

libsql-laravel/src/helpers.php

Lines 78 to 99 in 2a6c6d9

function decodeDoubleBase64(array $result): array
{
if (isset($result) && is_array($result)) {
foreach ($result as &$row) {
foreach ($row as $key => &$value) {
if (is_string($value) && isValidDateOrTimestamp($value)) {
continue;
}
if (is_string($value) && $decoded = json_decode($value, true)) {
$value = $decoded;
}
if (is_string($value) && isValidBlob($value)) {
$value = base64_decode(base64_decode($value));
}
}
}
}
return $result;
}

And data is not unserialized properly, making the session payload and id invalid.

dd($result, $rows)

Image

When commenting out the double base 64 decoding everything works fine. Would love to know why this double decoding strategy. And if anyone else around is having the same issue.

TY in advance!
@diselostudio
Copy link
Author

Forgot to mention, I am using main branch and sail

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@diselostudio