-
Notifications
You must be signed in to change notification settings - Fork 11
Remove session set value will convert to an array/obj value. #37
Comments
Hello @Moln, kind regards |
This design decision is pretty odd and should have nothing to do with memcache or adapters as long as it serializes to a string. Of course, JSON is easier to parse for NON-PHP environments but we're talking about PHP storing it's data to a session storage. I don't see the case that any other NON-PHP application should read PHP's session storage... The much better (and faster) way would have been to use PHP's Maybe @weierophinney has more insights into this? |
I disagree that it's "much better", and can argue that it's a bad choice for handling session data. First, if you Google for "php serialize security", you'll quickly discover taht the internal serializer in PHP has had a slew of security vulnerabilities, the worst of which have led to RCE vectors. Most security experts indicate it should be avoided whenever possible. In particular, they indicate that storing serialized objects in a session is a recipe for additional security vectors, and should be avoided. On top of that, there are the problems of what data different session storage backends can actually store. ext-session is not the only target: we want to support cache backends (redis, memcache), and non-persistent backends such as JWT. If we consider security of data and the breadth of options for storing session data, |
Thanks for your response. If Regarding different storage backends: I have never seen a backend that is not capable of storing a string. Redis and Memcache don't care if the data you store is encoded using JSON oder PHP's serialize. So that shouldn't be a problem either or am I missing something? The only plausible reason for me to implement something like It would be easy to modify this behaviour in Session but then I would also have to adapt those The only reasonable workaround is to serialize the object myself, set the serialized string into the session (json_decode/encode is basically a no-op then) and do an unserialize after getting it from session. |
Thanks for everyone follow and response.
Yes, now I don't think this method ( e.g.: zendframework/zend-expressive-session-ext's $_SESSION = $session->toArray(); // PhpSessionPersistence.php#L139
// Change to
$_SESSION = extractSerializableValue($session->toArray()); |
This repository has been closed and moved to mezzio/mezzio-session; a new issue has been opened at mezzio/mezzio-session#1. |
I saw the
Session::extractSerializableValue
method commentBut most of adapters can store string after using
serialize()
function . And I think this is adapter layer.And then, I think can remove it.
Code to reproduce the issue
Expected results
Actual results
The text was updated successfully, but these errors were encountered: