Session Changes when I iterate to an sql mapped table records

[DevMan12]

when I comment out this part in render view, csrf token works fine:
 

           <?php if(!empty($therapist)){
                    foreach($therapist as $ther){
                        ?>
                        <div class="col-md-4 col-sm-6 portfolio-item">
                            <a href="#portfolioModal1" class="portfolio-link" data-toggle="modal">
                                <div class="portfolio-hover">
                                    <div class="portfolio-hover-content">
                                        <i class="fa fa-plus fa-3x"></i>
                                    </div>
                                </div>
                                <img src="img/portfolio/roundicons.png" class="img-responsive" alt="">
                            </a>
                            <div class="portfolio-caption">
                                <a href="<?= BASE_URL; ?>therapist/<?= $ther->therapist_username; ?>">
                                  <img src="<?= imageshelper::one_image($ther->therapist_folder); ?>" style="border-radius:50%; border:3px solid #FFF">
                                </a>
                                <h4><?= $ther->therapist_name; ?>.</h4>
                                <p class="text-muted"><?= $ther->therapist_region .", ".$ther->therapist_city; ?></p>
                            </div>
                        </div>
                    <?php } ?>
            <?php } ?>

$therapist comes from parent class that calls the render view:

$f3->set('therapist', $this->model("therapist")->find(["therapist_name<>?",""],["limit" => 3, "order" => "therapist_id DESC"]));

Session is using DB sessions, Mariadb from xampp environment.

Somehow when i iterate on the record, the session token is changed. but when I comment out the part above, csrf token works fine. Kind of a weird behavior, what could be the reason behind this, since nothing in the code above sets any session token?

When I dump the $therapist record, there is a part there where session table is in the object, maybe that's the reason? anyone encountered this?
 

[DevMan12]

i further investigated this, the session saved in the DB is right, but when the record is iterated, it changes the value in the sessions table.

How is this possible as there are no part in the iteration where I change the value of SESSION.csrftoken. I did not invoke it anywhere even in the imageshelper::one_image function. Could this be a bug?

[DevMan12]

Anyone encountered this problem? I have been troubleshooting this since last night, can't find any solution, hopefully somebody can show the way. Don't want to change framework at the middle of this project.

[ved]

That is indeed strange but there's not too much information to determine what's wrong.

What version of F3 are you using?

If you disable the use of csrf tokens completely, does everything work fine then?

If you change from database sessions to normal or cache based sessions, does it still behave in the same way?

[DevMan12]

Hi here's how it flows. These are all separate files. I have also tried the basic php session_start() and just use $_SESSION['csrftoken'] to set the value but still the same. There is something about the PDO iteration that changes the session. Btw, Im using the latest F3 and this is the first time I have used f3 for a project. Hopefully there is a solution on this.

It works fine if I remove the foreach iteration on $therapist.

/*=========================================================================
 * This is are my routes
 *==========================================================================
 */    


// frontend routes
$f3->route('GET /', 'Homepage->home');
// booking frontend
$f3->route('POST /booking', 'Client_bookings->post_search');


/*=========================================================================
 * This is my base controller
 *==========================================================================
 */    

class BaseController {

    protected $db;
    protected $csrftoken;

    function __construct(){
         $f3=Base::instance();
         $this->db = new DB\SQL($f3->get('db'), $f3->get('mysql_user'), $f3->get('mysql_password'));
         $session = new DB\SQL\Session($this->db);
         $this->csrftoken = $session->csrf();
    }
   
    public function model($table, $prefix = true){
        if($prefix){
            return new DB\SQL\Mapper($this->db, TABLE_PREFIX . $table);
        } else {
            return new DB\SQL\Mapper($this->db, $table);
        }
    }
   
    protected function library($lib){
        require_once APP_LIB . $lib . ".php";
    }





/*=========================================================================
 * This is my Homepage controller
 *==========================================================================
 */    



class Homepage extends BaseController {

    function __construct() {
        parent::__construct();
    }

    public function home($f3) {

        $f3->set('csrftoken', $this->csrftoken);
        $f3->set('SESSION.csrftoken',$this->csrftoken);

       
        $f3->set('therapist', $this->model("therapist")->find(["therapist_name<>?",""],["limit" => 3, "order" => "therapist_id DESC"]));

        $this->library("imageshelper");
        $f3->set('imagehelper', new Imageshelper());       
 
        echo View::instance()->render('app/views/frontend/home/main.phtml');
    }



/*=========================================================================
 * This is my main.phtml render view.
 *==========================================================================
 */    

<?php require(APP_PATH . "app/views/includes/header.phtml");?>


///
///   if I remove this, the stored token is correct.
///
<!-- Portfolio Grid Section -->
<section id="therapist" class="bg-light-gray">
    <div class="container">
        <div class="row">
            <div class="col-lg-12 text-center">
                <h2 class="section-heading">Therapists</h2>
                <h3 class="section-subheading text-muted">Latest Therapist Members.</h3>
            </div>
        </div>
        <div class="row">

            <?php if(!empty($therapist)){
                    foreach($therapist as $ther){
                        ?>
                        <div class="col-md-4 col-sm-6 portfolio-item">
                            <a href="#portfolioModal1" class="portfolio-link" data-toggle="modal">
                                <div class="portfolio-hover">
                                    <div class="portfolio-hover-content">
                                        <i class="fa fa-plus fa-3x"></i>
                                    </div>
                                </div>
                                <img src="img/portfolio/roundicons.png" class="img-responsive" alt="">
                            </a>
                            <div class="portfolio-caption">
                                <a href="<?= BASE_URL; ?>therapist/<?= $ther->therapist_username; ?>

">
                                  <img src="<?= $imagehelper::one_image($ther->therapist_folder); ?>" style="border-radius:50%; border:3px solid #FFF">

                                </a>
                                <h4><?= $ther->therapist_name; ?>.</h4>
                                <p class="text-muted"><?= $ther->therapist_region .", ".$ther->therapist_city; ?></p>
                            </div>
                        </div>
                    <?php } ?>
            <?php } ?>

        </div>
    </div>
</section>

<!-- Test form submission -->
<section style="margin-top:200px" >
<?php
        echo "<form method='POST' action='".BASE_URL."booking'>
              <input type='hidden' name='token' value='".$csrftoken."'>
              <input type='submit' name='submit'>
              </form>";
?>
</section>

<?php require(APP_PATH . "app/views/includes/scripts.phtml") ?>
<?php require(APP_PATH . "app/views/includes/footer.phtml") ?>
   
   
   


/*=========================================================================
 * This is my receiving post controller
 *==========================================================================
 */    


class Client_bookings extends BaseController {

    function __construct() {
        parent::__construct();
    }

    /**
     * post_search
     * Post method for booking search
     * @param object $f3 fatfree object
     */
    public function post_search($f3) {

        #validate submission and save
        if ($f3->get('POST.token') == $f3->get('SESSION.csrftoken')) {
           
            # should go here ///////////////////

        # error
        # function d is just for dumping the data
        } else {
            d($f3->get('POST.token'),false);
            d($f3->get('SESSION.csrftoken'));
            $f3->reroute('/');
        }
    }    
   

[ved]

Ok I still don't see anything wrong at first glance.

Are you using the latest version from https://github.com/bcosca/fatfree-core ?

Also, you say that if you remove the "foreach" from your view, then everything works fine? Does it work if you just remove the imghelper call? Or do you really have to remove the entire loop for it to work?

What exactly do you have in imghelper class and one_image method? 

[DevMan12]

Yes it is the latest F3 core.

ActualIy I have already tried removing that at first, I even tried removing all inside foreach($therapist as $ther) and still the session token changes for no reason. Only if I remove the actual foreach() that everything works as it should,.

I have updated above on how i call the imagehelper. basically there is no post or session processing there, just a browsing of folder directory for images.

<?php

class Imageshelper {

    /**
     * for thumbnails
     * @param type $directory
     */
    public static function one_image($folder, $echo = true){
        $directory = realpath(APP_PATH . "user_uploads/" . $folder);
        $handle = opendir($directory);
        $htm = "";
        $get = 1;
        $ctr = 0;
        while($file = readdir($handle)){
            if($file !== '.' && $file !== '..' && $get == 1 && strpos($file, "thumb_") > -1){
                if($echo){
                    echo BASE_URL . "user_uploads/$folder/" . $file;
                } else {
                    return BASE_URL . "user_uploads/$folder/" . $file;
                }
                $get = 2;
                $ctr++;
            }
        }

        # no image was found
        if($ctr == 0){
            if($echo){
                echo BASE_URL . "user_uploads/default-user.png";
            } else {
                return BASE_URL . "user_uploads/default-user.png";
            }
        }

    }

[DevMan12]

Correction, My bad, actually I'm not sure if I have actually tried removing all the contents inside the foreach, because right now it works if I remove all inside the foreach(). So maybe it is not the SQL mapper.

So I tried removing one by one, and found out that if I remove this line here:

<img src="<?= BASE_URL; ?>img/portfolio/roundicons.png" class="img-responsive" alt="">

it works!, so I tried removing the src from the image, and so it works. because the image does not exist.

I am confuse? why is an error in html image affects the php session of Fatfree? shouldn't it work regardless of html errors?

 

[ved]

Yeah it's a strange issue, or maybe we're just missing something obvious.

Have you set DEBUG=3 on F3? Maybe there's some kind of error that's not getting outputted?

[DevMan12]

Yes, I have set it to DEBUG=3, but I am not getting any error. also set the php errors in the index

ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

but no errors, just the session is affected somehow by the html errors. really strange.

[ved]

Yeah, I don't think I can give you much more help as I also can't see what can be causing this.

Sorry couldn't be of more help. Maybe somebody else will see where's the problem.

[DevMan12]

Just encountered it again on another route;

since I already know some html are causing this, I tracked the error when I have removed this non existent asset file in the header, again the session works.

        <link href="font-awesome/css/font-awesome.min.css" rel="stylesheet" type="text/css">

its ok, just sharing so anybody can double check this anomaly and can be fixed, as this framework is really great. Thanks for the time.

[ved]

That's really weird. It appears as it's some kind of webserver config issue(?). What webserver are you using?

And what happens when you try to access that non-existing: "yoursite.com/font-awesome/css/font-awesome.min.css". Do you get a 404 error from the webserver or from F3?

[DevMan12]

Yes a 404 error when accessed directly. Im not running on any vagrant box just a xampp v3.2.2 with php 5.6.

Yes, maybe its the 404 error triggering session reset? anyway got to go, will check more on this tomorrow. thank you for the time.

[ikkez]

what happens, when you access a non existing file is, that F3 it boots up and tries to find a matching route with that path. As there is no route for "yoursite.com/font-awesome/css/font-awesome.min.css" it calls its error handler which will produce the 404 response.
Now, I cannot see in you code, if you have set a custom error handler (ONERROR) or if you initialize the DB Session somewhere else as well. But maybe it could be that this is causing your SESSION.csrftoken to become updated silently.

[DevMan12]

Sorry for the late reply,

I had to confirm this as this is a great framework. Yes ikkez is right. I had actually fixed this days ago. Be careful on using ONERROR. what really happen in my case is that I had put a reroute to homepage for the ONERROR 404, and my controller for the homepage has a reset on CSRF token which is the culprit on my problem.

So be careful on using ONERROR with reroute, you might reset your csrf tokens without knowing it specially if you asset files in the view that does not exist as what ikkez said, it will trigger a 404 even though you will not see any 404 page rendered as it will load the view page normally.

Thanks to all and thanks to Fatfree framework, I am now on the last phases of my project and it works like a charm!