improve session ID assignment to avoid possible overlaps.
Signed-off-by: Taylor Otwell <taylorotwell@gmail.com>
This commit is contained in:
Taylor Otwell
parent
e4c03aab37
commit
b37c966aea
|
|
@ -1,6 +1,6 @@
|
|||
<?php namespace Laravel\Session\Drivers;
|
||||
|
||||
class APC implements Driver {
|
||||
class APC extends Driver {
|
||||
|
||||
/**
|
||||
* The APC cache driver instance.
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
use Laravel\Crypter;
|
||||
|
||||
class Cookie implements Driver {
|
||||
class Cookie extends Driver {
|
||||
|
||||
/**
|
||||
* The name of the cookie used to store the session payload.
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
use Laravel\Config;
|
||||
use Laravel\Database\Connection;
|
||||
|
||||
class Database implements Driver, Sweeper {
|
||||
class Database extends Driver implements Sweeper {
|
||||
|
||||
/**
|
||||
* The database connection.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
<?php namespace Laravel\Session\Drivers;
|
||||
<?php namespace Laravel\Session\Drivers; use Laravel\Config, Laravel\Str;
|
||||
|
||||
interface Driver {
|
||||
abstract class Driver {
|
||||
|
||||
/**
|
||||
* Load a session from storage by a given ID.
|
||||
|
|
@ -10,7 +10,7 @@ interface Driver {
|
|||
* @param string $id
|
||||
* @return array
|
||||
*/
|
||||
public function load($id);
|
||||
abstract public function load($id);
|
||||
|
||||
/**
|
||||
* Save a given session to storage.
|
||||
|
|
@ -20,7 +20,7 @@ public function load($id);
|
|||
* @param bool $exists
|
||||
* @return void
|
||||
*/
|
||||
public function save($session, $config, $exists);
|
||||
abstract public function save($session, $config, $exists);
|
||||
|
||||
/**
|
||||
* Delete a session from storage by a given ID.
|
||||
|
|
@ -28,6 +28,43 @@ public function save($session, $config, $exists);
|
|||
* @param string $id
|
||||
* @return void
|
||||
*/
|
||||
public function delete($id);
|
||||
abstract public function delete($id);
|
||||
|
||||
/**
|
||||
* Insert a fresh session and return the payload array.
|
||||
*
|
||||
* @return array
|
||||
*/
|
||||
public function fresh()
|
||||
{
|
||||
// We will simply generate an empty session payload array, using an ID
|
||||
// that is not currently assigned to any existing session within the
|
||||
// application and return it to the driver.
|
||||
return array('id' => $this->id(), 'data' => array(
|
||||
':new:' => array(),
|
||||
':old:' => array(),
|
||||
));
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a new session ID that isn't assigned to any current session.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function id()
|
||||
{
|
||||
$session = array();
|
||||
|
||||
// We'll containue generating random IDs until we find an ID that is
|
||||
// not currently assigned to a session. This is almost definitely
|
||||
// going to happen on the first iteration.
|
||||
do {
|
||||
|
||||
$session = $this->load($id = Str::random(40));
|
||||
|
||||
} while ( ! is_null($session));
|
||||
|
||||
return $id;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
<?php namespace Laravel\Session\Drivers;
|
||||
|
||||
class File implements Driver, Sweeper {
|
||||
class File extends Driver implements Sweeper {
|
||||
|
||||
/**
|
||||
* The path to which the session files should be written.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
<?php namespace Laravel\Session\Drivers;
|
||||
|
||||
class Memcached implements Driver {
|
||||
class Memcached extends Driver {
|
||||
|
||||
/**
|
||||
* The Memcache cache driver instance.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
<?php namespace Laravel\Session\Drivers;
|
||||
|
||||
class Redis implements Driver {
|
||||
class Redis extends Driver {
|
||||
|
||||
/**
|
||||
* The Redis cache driver instance.
|
||||
|
|
|
|||
|
|
@ -54,22 +54,17 @@ public function load($id)
|
|||
|
||||
// If the session doesn't exist or is invalid we will create a new session
|
||||
// array and mark the session as being non-existent. Some drivers, such as
|
||||
// the database driver, need to know whether the session exists in storage
|
||||
// so they can know whether to insert or update the session.
|
||||
// the database driver, need to know whether it exists.
|
||||
if (is_null($this->session) or static::expired($this->session))
|
||||
{
|
||||
$this->exists = false;
|
||||
|
||||
$this->session = array('id' => Str::random(40), 'data' => array(
|
||||
':new:' => array(),
|
||||
':old:' => array(),
|
||||
));
|
||||
$this->session = $this->driver->fresh();
|
||||
}
|
||||
|
||||
// A CSRF token is stored in every session. The token is used by the Form
|
||||
// class and the "csrf" filter to protect the application from cross-site
|
||||
// request forgery attacks. The token is simply a long, random string
|
||||
// which should be posted with each request to the application.
|
||||
// request forgery attacks. The token is simply a random string.
|
||||
if ( ! $this->has(Session::csrf_token))
|
||||
{
|
||||
$this->put(Session::csrf_token, Str::random(40));
|
||||
|
|
@ -125,8 +120,7 @@ public function get($key, $default = null)
|
|||
|
||||
// We check for the item in the general session data first, and if it
|
||||
// does not exist in that data, we will attempt to find it in the new
|
||||
// and old flash data. If none of those arrays contain the requested
|
||||
// item, we will just return the default value.
|
||||
// and old flash data, or finally return the default value.
|
||||
if ( ! is_null($value = array_get($session, $key)))
|
||||
{
|
||||
return $value;
|
||||
|
|
@ -247,7 +241,7 @@ public function flush()
|
|||
*/
|
||||
public function regenerate()
|
||||
{
|
||||
$this->session['id'] = Str::random(40);
|
||||
$this->session['id'] = $this->driver->id();
|
||||
|
||||
$this->exists = false;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue