From b37c966aea22b690225f45d217d0ada07cb20286 Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylorotwell@gmail.com>
Date: Tue, 28 Feb 2012 10:06:53 -0600
Subject: [PATCH] improve session ID assignment to avoid possible overlaps.

Signed-off-by: Taylor Otwell <taylorotwell@gmail.com>
---
 laravel/session/drivers/apc.php       |  2 +-
 laravel/session/drivers/cookie.php    |  2 +-
 laravel/session/drivers/database.php  |  2 +-
 laravel/session/drivers/driver.php    | 47 ++++++++++++++++++++++++---
 laravel/session/drivers/file.php      |  2 +-
 laravel/session/drivers/memcached.php |  2 +-
 laravel/session/drivers/redis.php     |  2 +-
 laravel/session/payload.php           | 16 +++------
 8 files changed, 53 insertions(+), 22 deletions(-)

diff --git a/laravel/session/drivers/apc.php b/laravel/session/drivers/apc.php
index a45efaa0..d3148366 100644
--- a/laravel/session/drivers/apc.php
+++ b/laravel/session/drivers/apc.php
@@ -1,6 +1,6 @@
 <?php namespace Laravel\Session\Drivers;
 
-class APC implements Driver {
+class APC extends Driver {
 
 	/**
 	 * The APC cache driver instance.
diff --git a/laravel/session/drivers/cookie.php b/laravel/session/drivers/cookie.php
index 15afc8e7..d15d7063 100644
--- a/laravel/session/drivers/cookie.php
+++ b/laravel/session/drivers/cookie.php
@@ -2,7 +2,7 @@
 
 use Laravel\Crypter;
 
-class Cookie implements Driver {
+class Cookie extends Driver {
 
 	/**
 	 * The name of the cookie used to store the session payload.
diff --git a/laravel/session/drivers/database.php b/laravel/session/drivers/database.php
index 6279b10e..c094a91f 100644
--- a/laravel/session/drivers/database.php
+++ b/laravel/session/drivers/database.php
@@ -3,7 +3,7 @@
 use Laravel\Config;
 use Laravel\Database\Connection;
 
-class Database implements Driver, Sweeper {
+class Database extends Driver implements Sweeper {
 
 	/**
 	 * The database connection.
diff --git a/laravel/session/drivers/driver.php b/laravel/session/drivers/driver.php
index 9ba0884e..03e6fb2c 100644
--- a/laravel/session/drivers/driver.php
+++ b/laravel/session/drivers/driver.php
@@ -1,6 +1,6 @@
-<?php namespace Laravel\Session\Drivers;
+<?php namespace Laravel\Session\Drivers; use Laravel\Config, Laravel\Str;
 
-interface Driver {
+abstract class Driver {
 
 	/**
 	 * Load a session from storage by a given ID.
@@ -10,7 +10,7 @@ interface Driver {
 	 * @param  string  $id
 	 * @return array
 	 */
-	public function load($id);
+	abstract public function load($id);
 
 	/**
 	 * Save a given session to storage.
@@ -20,7 +20,7 @@ public function load($id);
 	 * @param  bool   $exists
 	 * @return void
 	 */
-	public function save($session, $config, $exists);
+	abstract public function save($session, $config, $exists);
 
 	/**
 	 * Delete a session from storage by a given ID.
@@ -28,6 +28,43 @@ public function save($session, $config, $exists);
 	 * @param  string  $id
 	 * @return void
 	 */
-	public function delete($id);
+	abstract public function delete($id);
+
+	/**
+	 * Insert a fresh session and return the payload array.
+	 *
+	 * @return array
+	 */
+	public function fresh()
+	{
+		// We will simply generate an empty session payload array, using an ID
+		// that is not currently assigned to any existing session within the
+		// application and return it to the driver.
+		return array('id' => $this->id(), 'data' => array(
+			':new:' => array(),
+			':old:' => array(),
+		));
+	}
+
+	/**
+	 * Get a new session ID that isn't assigned to any current session.
+	 *
+	 * @return string
+	 */
+	public function id()
+	{
+		$session = array();
+
+		// We'll containue generating random IDs until we find an ID that is
+		// not currently assigned to a session. This is almost definitely
+		// going to happen on the first iteration.
+		do {
+
+			$session = $this->load($id = Str::random(40));			
+
+		} while ( ! is_null($session));
+
+		return $id;
+	}
 
 }
\ No newline at end of file
diff --git a/laravel/session/drivers/file.php b/laravel/session/drivers/file.php
index f2df8622..d7e3b98f 100644
--- a/laravel/session/drivers/file.php
+++ b/laravel/session/drivers/file.php
@@ -1,6 +1,6 @@
 <?php namespace Laravel\Session\Drivers;
 
-class File implements Driver, Sweeper {
+class File extends Driver implements Sweeper {
 
 	/**
 	 * The path to which the session files should be written.
diff --git a/laravel/session/drivers/memcached.php b/laravel/session/drivers/memcached.php
index f6c73e5a..7eaa283a 100644
--- a/laravel/session/drivers/memcached.php
+++ b/laravel/session/drivers/memcached.php
@@ -1,6 +1,6 @@
 <?php namespace Laravel\Session\Drivers;
 
-class Memcached implements Driver {
+class Memcached extends Driver {
 
 	/**
 	 * The Memcache cache driver instance.
diff --git a/laravel/session/drivers/redis.php b/laravel/session/drivers/redis.php
index 1f93feab..f3b8f851 100644
--- a/laravel/session/drivers/redis.php
+++ b/laravel/session/drivers/redis.php
@@ -1,6 +1,6 @@
 <?php namespace Laravel\Session\Drivers;
 
-class Redis implements Driver {
+class Redis extends Driver {
 
 	/**
 	 * The Redis cache driver instance.
diff --git a/laravel/session/payload.php b/laravel/session/payload.php
index 3f73c851..bf23b94f 100644
--- a/laravel/session/payload.php
+++ b/laravel/session/payload.php
@@ -54,22 +54,17 @@ public function load($id)
 
 		// If the session doesn't exist or is invalid we will create a new session
 		// array and mark the session as being non-existent. Some drivers, such as
-		// the database driver, need to know whether the session exists in storage
-		// so they can know whether to insert or update the session.
+		// the database driver, need to know whether it exists.
 		if (is_null($this->session) or static::expired($this->session))
 		{
 			$this->exists = false;
 
-			$this->session = array('id' => Str::random(40), 'data' => array(
-				':new:' => array(),
-				':old:' => array(),
-			));
+			$this->session = $this->driver->fresh();
 		}
 
 		// A CSRF token is stored in every session. The token is used by the Form
 		// class and the "csrf" filter to protect the application from cross-site
-		// request forgery attacks. The token is simply a long, random string
-		// which should be posted with each request to the application.
+		// request forgery attacks. The token is simply a random string.
 		if ( ! $this->has(Session::csrf_token))
 		{
 			$this->put(Session::csrf_token, Str::random(40));
@@ -125,8 +120,7 @@ public function get($key, $default = null)
 
 		// We check for the item in the general session data first, and if it
 		// does not exist in that data, we will attempt to find it in the new
-		// and old flash data. If none of those arrays contain the requested
-		// item, we will just return the default value.
+		// and old flash data, or finally return the default value.
 		if ( ! is_null($value = array_get($session, $key)))
 		{
 			return $value;
@@ -247,7 +241,7 @@ public function flush()
 	 */
 	public function regenerate()
 	{
-		$this->session['id'] = Str::random(40);
+		$this->session['id'] = $this->driver->id();
 
 		$this->exists = false;
 	}