Cookie validation issue

Archives Bug Discussions
1

Hi, dear all!

I don’t know whether the problem I faced is to be decided a bug, that’s why I post it in a separate thread to discuss it. I reproduce this one with Yii 1.1.11-dev from github.com and stable Yii 1.1.10. Seems to me that this old thread can also be relative to this problem.

These are the steps to reproduce:

  1. Use configuration file [font="Courier New"]protected/config/main.php[/font] from default installation of web application.

  2. Implement user’s authentication specifying positive [font=“Courier New”]$duration[/font] argument of [font=“Courier New”]CWebUser::login($identity, $duration=0)[/font].

  3. Log in on your website checking "Remember me".

  4. Close your browser.

  5. Edit [font="Courier New"]protected/config/main.php[/font] by adding the following lines to [font="Courier New"]components[/font] part:


'request' => array(

    'enableCookieValidation' => true

),
  1. Open your browser and run your website.

The result:


PHP warning


mb_strlen() expects parameter 1 to be string, array given.

and error 500 on production site.

Here is the callstack from [font="Courier New"]application.log[/font]:


2012/06/22 23:13:59 [error] [php] mb_strlen() expects parameter 1 to be string, array given (/home/n/nebullus/toma.spb.ru/public_html/framework/base/CSecurityManager.php:314)

Stack trace:

#0 /home/n/nebullus/toma.spb.ru/public_html/framework/web/auth/CWebUser.php(443): CSecurityManager->validateData()

#1 /home/n/nebullus/toma.spb.ru/public_html/framework/web/auth/CWebUser.php(196): WebUser->restoreFromCookie()

#2 /home/n/nebullus/toma.spb.ru/public_html/framework/base/CModule.php(388): WebUser->init()

#3 /home/n/nebullus/toma.spb.ru/public_html/framework/base/CModule.php(104): CWebApplication->getComponent()

#4 /home/n/nebullus/toma.spb.ru/public_html/protected/components/BaseController.php(23): CWebApplication->__get()

#5 /home/n/nebullus/toma.spb.ru/public_html/protected/controllers/GalleryController.php(10): GalleryController->__construct()

#6 /home/n/nebullus/toma.spb.ru/public_html/framework/web/CWebApplication.php(349): GalleryController->__construct()

#7 /home/n/nebullus/toma.spb.ru/public_html/framework/web/CWebApplication.php(270): CWebApplication->createController()

#8 /home/n/nebullus/toma.spb.ru/public_html/framework/web/CWebApplication.php(135): CWebApplication->runController()

#9 /home/n/nebullus/toma.spb.ru/public_html/framework/base/CApplication.php(162): CWebApplication->processRequest()

#10 /home/n/nebullus/toma.spb.ru/public_html/index.php(13): CWebApplication->run()

REQUEST_URI=/gallery.html

Web server’s operating system: Kubuntu 12.04 LTS

PHP version: 5.3.10

Browser: any (tested with Mozilla Firefox, Google Chrome and IE8 on Windows XP).

The workaround is to clear browser’s cookies, and everything will work well. But it’s not a good idea to ask a user to clear his browser’s settings when I want to enable cookie validation.

2

Looks like a bug, application should not trust cookie content like this. Please report this issue on github and post a link here.

3

Dear, CeBe. Thank you for the reply.

I’ve opened an issue.