[symfony-users] Why is Symfony Session data encrypted on my production server ?

Tue, 18 Jan 2011 06:17:34 -0800 

I want to share a single authentificaition method for to Symfony
websites sharing the same top-domain.
I use a cookie valid on all subdomains and sfPDOSessionStorage for
keeping session data.

factories.yml is set up like this on both projects:

    all:
      storage:
        class: sfPDOSessionStorage
        param:
          database: doctrine
          db_table: sessions
          session_name: myauth
          db_id_col: id
          db_data_col: sess_data
          db_time_col: time
          session_cookie_domain: ".mydomain.net"
          session_cookie_lifetime: 86400
          session_cookie_path: /

On my development machine and on my co-workers's machine this
mechanism is working fine but on the server it does not (I'm asked for
credentials when I switch sub-domains). The only difference I see
between the two environments is the format in which the data is
stored, the data seems to be encrypted on the prod server but appears
in clear text on my machine. There's no sensitive data here so I can
post an example :

Dev environment sess_data:

    symfony/user/sfUser/lastRequest|i:1295349567;symfony/user/sfUser/
authenticated|b:0;symfony/user/sfUser/credentials|a:0:{}symfony/user/
sfUser/attributes|a:1:{s:30:"symfony/user/sfUser/attributes";a:1:{s:
7:"referer";s:0:"";}}symfony/user/sfUser/culture|s:2:"fr";

Production server sess_data:

 
BB7HBTsQg75NNGvb9Z8sexldqbS79YzDgrztQzSFhsUpEk2EeCOtKw8FQbm31vLIRyr3ZP_klwZFXywnkdem27naIWjIVBP_WwpwNRg4IMj1J0fIfxJN_UOw2RbCWh91L5ryCD_7_ynN2UtxfuJwUWnxoGuUvqD8YQxNdczQipmktPVFk1mVfKE1-
BsrdHHLIXH_gi44-Bos3f-EshE5skuQpachnY1FkgvvvOuXEj7zxPflgA3xtGoqJxkDijT-
uKnQCH4TrimhvkIRGCt0oVuOdsAJzuWW6ijgPCD3X767mSIzm_lQmJoSGxDB7fAgFihB7Ljoq0tsysC62BqTYFB6dTnuZoj3KON8lXlyNJZVyLgTWZ3EYoObtc8jCKYNDonSjEqzTvwg4NJRVoB5ePx61iTqbDd9qFlkryzj9J8.

I haven't got a clue which encryption type is used to store
information in the database, nor am I sure that this is the root of my
problems but as this is the only difference I can spot, I don't see
any other explanation. (PHP and MySQL versions are identical, with
Ubuntu 10.10 on my side and Debian Squeeze server-side).

-- 
If you want to report a vulnerability issue on symfony, please send it to 
security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en

Reply via email to