Framework: Session data unserialize() error.

A friend of my also get the error without logging in. It seems that something puts random data in the cookie :(

This is his session payload :

eyJpdiI6InZBOWV0SSt0Z1BBN0cwWkxSTUR0c2NSWEM0THJ2TzBHYmNnREdlQ2hNUFE9IiwidmFsdWUiOiI0ZUN1VWlZK0cwNUFlSmxqQmd3bkgzZlpoUXBVeENvME9NaTlmcmxQMVVoOHo1bVNoNFB3OGszb3FxWnM0TWxOSkdRRGt0dWdQckFWcFdVMVJmaVBuckMwakczUHF0VFgwYkt6b01IMUsxUFlRRkdWa3hDZHFaTjBxQ2tXSFdKclBcL0Zac1ZSbmVtVm1sejRoNFh5XC9RWGZZZGY5ZDRjWmZSNTZcL2tmTXlwZXdyTXhITkNEVkN4Z1wvT1V1M3dDUzFuWVdiWTAzWWFcL0cwUk51YjZQNEp0a2FqcHBVR0hoSU9pS1wvcjYxZEFIVzZvalNWQ05samxLanFyUDlva0JocEZQbVVDUjZaMHJNZlE5MFJCQWVtc3l6S1htMUhuOUVDWjBIY3RSNldrUk5aQnVBZEtcL3BlM2ZldVJMVVh3dHJKckxYcUtYU3BxQnBSdzNBUnl4TUdlUUFRPT0iLCJtYWMiOiIzMmFmOTAyZGYzYWRlYTg0NTc1M2QyNWMxYjA5NmVhYzJlZmMzZGJkZGFjMmJhYzI1OTQ4OWFjNTBmODc2MmMyIn0=

What decodes to

{"iv":"vA9etI+tgPA7G0ZLRMDtscRXC4LrvO0GbcgDGeChMPQ=","value":"4eCuUiY+G05AeJljBgwnH3fZhQpUxCo0OMi9frlP1Uh8z5mSh4Pw8k3oqqZs4MlNJGQDktugPrAVpWU1RfiPnrC0jG3PqtTX0bKzoMH1K1PYQFGVkxCdqZN0qCkWHWJrP\/FZsVRnemVmlz4h4Xy\/QXfYdf9d4cZfR56\/kfMypewrMxHNCDVCxg\/OUu3wCS1nYWbY03Ya\/G0RNub6P4JtkajppUGHhIOiK\/r61dAHW6ojSVCNljlKjqrP9okBhpFPmUCR6Z0rMfQ90RBAemsyzKXm1Hn9ECZ0HctR6WkRNZBuAdK\/pe3feuRLUXwtrJrLXqKXSpqBpRw3ARyxMGeQAQ==","mac":"32af902df3adea845753d25c1b096eac2efc3dbddac2bac259489ac50f8762c2"}

Did you recently update? I made some changes to the session recently. Maybe try flushing the session and trying again?

Yes, I update it every few days. But it seems there is more going on. Also after removing the cookies it works. I try to reproduce the when the error occurs, but no succes yet. I'll update the issue when I know more. Can I test anything?

So you can reproduce or no?

I've gotten this several times over the past few days but not really consistently enough to debug. Cleared all cookies, incognito mode, etc. and still appeared. I'll try to reproduce today and provide details.

No, not at the moment, my gf is using the site and can't figger out whats happening exactly before she got the error.

Hmm, yeah definitely report back if you can recreate.

Ok I can now reproduce this regularly on this one page, but only with the cookie session driver. Switching to another driver and going back still has the problem, so it's a problem with the stored cookie.

unserialize(): Error at offset 420 of 448 bytes

Doing an echo of the rtrim() results in a garbled mess (towards the end of the string):

s:413:"_sf2_attributes|a:5:{s:6:"_token";s:40:"4CL9riUwmlguZpneUj1DNSZ3wlRtXZwY0OawpadG";s:9:"flash.old";a:0:{}s:9:"flash.new";a:0:{}s:13:"loginRedirect";s:33:"http://app.local.example.com/accounts";s:16:"cartalyst_sentry";a:2:{i:0;s:14:"[email protected]";i:1;s:60:"$2y$10$twJbek9wfj5SchXNAt412eym27YzoN45K5G6TDT1IOa1WImdXchEi";}}_sf2_flashes|a:0:{}_sf2_meta|a:3:{s:1:"u";i:1368037500;s:1:"c";i:1368037486;s:1:"l";s:4:"720OÎT‘5zϧ dç›à‰'P"¸ïŒ*õ“˜l 5Cs

Relevant environment info:

PHP Version 5.4.14
MCrypt Version 2.5.8

Even echoing the $iv = base64_decode($payload['iv']); line results in a bad decode. I'm wondering if this error would be happening elsewhere when the session is being set? What other info can I provide?

Those weird characters at the end are definitely sticking out to me... what's up with those? What if you don't use Sentry?

And you say it only happens with the cookie driver?

Yeah cookie driver. I tested native, cookie, and apc. I can try others too. I can try to test without sentry but the app is pretty dependent on it.

So do you do anything in particular that you can tell to trigger it. Are you adding anything to the session at that time, etc.?

Nope. Controller only loads a view, removed all Route::bind calls, filters don't do any writing, just auth checks. I can reproduce by logging in, going to one page that displays a resource, going to a plain view page, back to the resource page. So just back and forth until it happens. Trying to remove pieces here and there to see when it stops throwing the error..

K. Thanks. Would really like to figure this out.

Well now I can't seem to recreate it. :\ Ugh I'm really confused on why this is happening now. Just updated the framework to see if I was stuck between two commits for session stuff but it was only 0760515 => 7fb5858 which doesn't have any session stuff between.

Hmm... if you get to where you can recreate it again. One possible thing ot check would be to log the string $data in CookieSessionHandler class... line 56.

Note that I said log and not dump. Dumping it would screw up the cookie writes.

Ok, yeah I'll do that when it happens again.

On May 8, 2013 at 2:40:52 PM, Taylor Otwell ([email protected]) wrote:
Note that I said log and not dump. Dumping it would screw up the cookie writes.
—
Reply to this email directly or view it on GitHub.

Any luck recreating?

One thing I'm noticing is in your base64 decodes, there is no MAC key, there is only an IV and value, which isn't right. I'm wondering if perhaps the cookie driver is getting overloaded with more than 4k of data and is not encrypting right? Something like that?

Notice how in this cookie I have an IV, value, and MAC:

http://d.pr/i/mP07

Blah, nevermind you guys do have macs.

I'm thinking this might be something to do with the 4kb issue. Just think out loud here to help out. When this data is encrypted and the data is put into the cookie it might be getting trimmed down by that limit and stuffing up the end when trying to un-serialize it. The enryptor spews out varying length strings doesn't it. That may explain the randomness of this problem occurring.

I'm a little concerned by that Cookie test randomly blowing up with the same error.

@taylorotwell It did happen once on me (travis build), https://travis-ci.org/crynobone/framework/jobs/6978881. And this is base laravel/framework without any modification (but completely random).

4kb is quite a bit of data.

The responses to this are quite interesting
http://stackoverflow.com/questions/4100324/how-many-characters-can-be-stored-in-4kb

If I can only store 4096 chars in a cookie then what can I put in encrypted to reach that total. See my example:

    $string = str_repeat('a', 1500);
    $enrypted = Crypt::encrypt($string);
    $encoded = base64_encode($enrypted);
    echo strlen($encoded);
    // Outputs ~3950 length but can be more or less on each request

So that means our real limit of data unencrypted is ~1500

I'm not sure it's the 4k thing since we're seeing it randomly on tests.

On May 8, 2013, at 8:33 PM, helmut [email protected] wrote:

4kb is quite a bit of data.

The responses to this are quite interesting
http://stackoverflow.com/questions/4100324/how-many-characters-can-be-stored-in-4kb

If I can only store 4096 chars in a cookie then what can I put in encrypted to reach that total. See my example:

$string = str_repeat('a', 1500);
$enrypted = Crypt::encrypt($string);
$encoded = base64_encode($enrypted);
echo strlen($encoded);
// Outputs ~3950 length but can be more or less on each request

So that means our real limit of data unencrypted is ~1500

—
Reply to this email directly or view it on GitHub.

Yes I think you are right. When a base 64 encoded string is cut short and decoded it does not append those jumbled chars. When an encrypted string is cut short and decrypted it throws an exception!

This might be of interest
http://stackoverflow.com/questions/1321669/php-mcrypt-mangles-beginning-of-string-to-garbage

Mainly the comments on the first accepted answer in regards to IV and MAC protection only working on the first block. Not sure if this is the answer but who knows...

This is fixed. The PKCS7 padding was kind of jacked up.

Great... Good to get that sorted before RC.

Thanks for the fix Taylor!

I'm still getting this error, every thing was working fine until i take the pull on our production server and ran composer install command. is there any fix for it ?

Also experiencing this error since a few days, running Laravel 5.6.38.

@touqeershafi @chescos https://laravel-news.com/laravel-5-6-30

Have the same issue on Laravel 5.4 and Laravel 5.5.
unserialize : error at offset 0 of 40 bytes
The error only appears when using Google Chrome.
any fix for it?