PHP serialized data stored in mysql db error

Question

I have a Database based session storage solution. Works great! I however have an issue with it storing a particular type of data.

I have an application which uses CSRF tokens. When a form is created, it will create a token for that form. The token is a hashed (sha256) value of different types of values. One copy goes to the form and another copy is stored in the sessions. Upon submitting the form, it compares the tokens to ensure that they match.

Below is an example of the destruct function which updates the db with the new data

UPDATE session_manager SET variables= :variables  WHERE 1=1  AND id = :id
array(2) {
  [":variables"]=>
      string(152) "a:1:{s:4:"CSRF";a:1:{s:8:"register";a:2:{s:5:"token";s:64:"e749603241dec1911ef3a40d98b2f5185d389434060483297394b504cc904ede";s:4:"time";i:1443456816;}}}"
  [":id"]=>
      string(2) "49"
}

Update statement is fine and works fine. This is the issue I have, the data is updated however the 'token' value that you can see in the data above is not the same value in the db which is below (This is a binary download of the data):

a:1:{s:4:"CSRF";a:1:{s:8:"register";a:2:{s:5:"token";s:64:"b48fc79fc2f51eff765c05476895238a42d9d45b2c1aeb7c6e4582d0381b7f4f";s:4:"time";i:1443456817;}}}

It would appear that mysql is changing the value and I cannot for the life of me figure out the issue. Solutions I've tried include:

• serialize
  
• json_encode
  
• base64

Changing charsets of the db and what not. Tried different field types in the db for example TEXT, Longtext and BLOB. Which does not seem to work for me :(

Here is the sql for the db

CREATE TABLE session_manager(
    id BIGINT(11) PRIMARY KEY AUTO_INCREMENT NOT NULL,
    session_id VARCHAR(200),
    user_agent TINYTEXT NOT NULL,
    variables BLOB NOT NULL,
    initial_time DATETIME DEFAULT CURRENT_TIMESTAMP NOT NULL,
    regenerate_time DATETIME DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP NOT NULL
);

Any reasons that pop to mind?

Answer 1

Ok. So after further investigation and taking in the input from everyone (Cheers by the way). I solved my issue.

Turns out it had nothing to do with mysql at all. It actually had to do with the "favicon.ico". I use fancy urls as you do and because I'm in dev, I never bothered with the favicon. By default, upon loading of the page it tries to find a favicon (http://localhost/favicon.ico). The system assumes that a user is attempting to access a controller (I use mvc) and because the controller doesn't exist, it redirects to the home page. The home page requires a token generated because there is a form on it and as a result it generates a token a second time voiding the original token. It was something I realised after looking at all the network connections through the developer console.

Answer 2

Have you looked at time index of your array? It seems like it changed as well. This makes me think the method for saving the session is executed (at least) twice. The second time the session is updated and overwrites the old value.

Run this code in with a debugger attached, or print/log a stack trace every time your function is called. This should give you a pretty good idea when the value is updated again.

PS: Is the update query called again on the next request, before you can retrieve the value?