1

Closed

null $_SESSION values in StateServer mode

description

When using sessionState="StateServer" mode, .NET structs placed in $_SESSION are not persisted correctly. When get a null when restoring the session.
 
Steps to reproduce:
 
  1. Ensure Windows ASP.NET State Service is running
  2. In web.config set sessionState to "InProc"
  3. Load the attached test.php page.
  4. Refresh the page
  5. Observe as expected the var_dump shows us the RSAParameters struct has been persisted in the $_SESSION
  6. Now change web.config and set sessionState to "StateServer"
  7. Quit and restart your browser to clear the session
  8. Load test.php again
  9. Refresh the page
  10. Observe this time the $_SESSION contains a null value where our RSAParameters struct should be
     
    Somewhere .NET structs are not being serialized/deserialized correctly. Tested with the latest Phalanger 3.0 2012-04-18 r2.

file attachments

Closed May 21, 2012 at 5:23 PM by jakub
array deserialization fixed -> closing

comments

Richard_Browne wrote Apr 22, 2012 at 9:29 AM

Hi I think I have a fix for this issue. I will submit a patch once it is tested more.

Richard_Browne wrote Apr 28, 2012 at 7:05 AM

Hi I posted patch 12031 for this problem a few days ago. PhpArray (OrderedDictionary) was not doing deserialization correctly.

jakub wrote Apr 28, 2012 at 7:44 AM

ah, thanks! I just don't understand, why it has to be deserialized in this way? Is there some multithreading or two-phase deserialization in .NET?

// wait until until OnDeserialization to use it
<-- where is the waiting?

Richard_Browne wrote Apr 28, 2012 at 8:44 AM

Hi jakub. In .NET when the special constructor XXX(SerializationInfo,StreamingContext) is called the object graph MAY not be fully deserialized yet. That means fields such as an array might contain null elements. It's not until OnDeserialization() is called that you can use your objects.

Have a look in Serialization.CLR.cs. You can see Phalanger is correctly delaying initialisation until OnDeserialization. But OrderedDictionary was not.

If you want to prove it yourself try the test I outlined in this issue and you will see the null values. Apply my patch and it works.

http://msdn.microsoft.com/en-us/library/system.runtime.serialization.ideserializationcallback.aspx

Richard_Browne wrote May 8, 2012 at 10:46 AM

Can we apply my patch? Serialization of structs is broken without it :-(

Richard_Browne wrote May 18, 2012 at 11:27 AM

Is it possible to apply this patch to the Phalanger code base?

The problem is apparent when session state != InProc. The issue description shows how to reproduce the problem and demonstrates the patch I submitted fixes it.

Please?

jakub wrote May 18, 2012 at 12:08 PM

I'm aware of that. Anyway the patch makes impossible to read ASP.NET session variables from PHP code as it was possible before. This would break functionality of existing PHP/.NET web applications.

To not depend on the current implementation from the repository, you can simply compile your implementation of AspNetSessionHandler into C# project, place the dll into bin and call
SessionHandlers.RegisterHandler(YourAspNetSessionHandler.Default); at app startup (e.g. in global.asax). In .config then, specify your "Handler" (within <session>).

Richard_Browne wrote May 18, 2012 at 1:42 PM

jakub I'm sorry but I do not understand your response. I think we are confusing this issue with another problem. I have submitted two patches. They are different. Let's forget about the session variables ok?

Currently Phalanger deserialize an OrderedDictionary. Let me say that again: OrderedDictionary has a BUG where deserialization does not always work.

We must wait until OnDeserialization() before we access fields. I tried to demonstrate this in the original report. Just try it for yourself and you will see the problem. It is easy to reproduce. It has nothing to do with our discussion about session variables. This patch simply tries to resolve the problem with OrderedDictionary not being able to deserialize correctly.

Richard_Browne wrote May 18, 2012 at 1:45 PM

Whoops I made a typo. I meant to say "Currently Phalanger CAN'T deserialize an OrderedDictionary"

jakub wrote May 18, 2012 at 3:20 PM

ah, right. Of course we will merge it into repo. Thanks!

jakub wrote May 21, 2012 at 5:13 PM

Phalanger could deserialize OrderedDictionary ... but if you have a .NET object with custom serializer, it caused your exception ... it is fixed now using your patch

Sign in to add a comment