Read the session data from session storage file

Question

Facing problem with PHP unserialize() function as titled it is throwing error.

unserialize() [function.unserialize]: Error at offset 0 of 1781 bytes

I also tried the session_decode() which return bool(false)

magic_quotes_gpc is Off.

Well, I am reading content of file which is serialized. File contents looks like below.

core|a:3:{s:23:"_session_validator_data";a:4:{s:11:"remote_addr";s:15:"117.241.113.248";s:8:"http_via";s:0:"";s:20:"http_x_forwarded_for";s:0:"";s:15:"http_user_agent";s:90:"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13";}s:13:"session_hosts";a:1:{s:12:"";b:1;}s:8:"messages";O:34:"Mage_Core_Model_Message_Collection":2:{s:12:"^@*^@_messages";a:0:{}s:20:"^@*^@_lastAddedMessage";N;}}customer|a:3:{s:23:"_session_validator_data";a:4:{s:11:"remote_addr";s:15:"117.241.113.248";s:8:"http_via";s:0:"";s:20:"http_x_forwarded_for";s:0:"";s:15:"http_user_agent";s:90:"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13";}s:13:"session_hosts";a:1:{s:12:"";b:1;}s:19:"wishlist_item_count";i:0;}catalog|a:3:{s:23:"_session_validator_data";a:4:{s:11:"remote_addr";s:15:"117.241.113.248";s:8:"http_via";s:0:"";s:20:"http_x_forwarded_for";s:0:"";s:15:"http_user_agent";s:90:"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13";}s:13:"session_hosts";a:1:{s:12:"";b:1;}s:8:"messages";O:34:"Mage_Core_Model_Message_Collection":2:{s:12:"^@*^@_messages";a:0:{}s:20:"^@*^@_lastAddedMessage";N;}}checkout|a:3:{s:23:"_session_validator_data";a:4:{s:11:"remote_addr";s:15:"117.241.113.248";s:8:"http_via";s:0:"";s:20:"http_x_forwarded_for";s:0:"";s:15:"http_user_agent";s:90:"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13";}s:13:"session_hosts";a:1:{s:12:"";b:1;}s:8:"messages";O:34:"Mage_Core_Model_Message_Collection":2:{s:12:"^@*^@_messages";a:0:{}s:20:"^@*^@_lastAddedMessage";N;}}

my PHP code is below

$file='/var/www/html/products/var/session/sess_0ehb7ek0hmunqo3kq70t0t6mb0';
$contents=file_get_contents($file);
$data = unserialize($contents); 
var_dump($data);

I already tried the stripslashes() before unserializing data. Not sure where is the problem in data. I can not change the mechanism of storing data in to file because this is handled by Magento for mananging session on File level.

I'm not sure why, but the contents contain 3 separate variables (types core, customer, and checkout). Maybe that is causing the problem in unserialize? — , Jan 15 '11 at 07:14
I believe (not exactly positive) that you can only [de]serialize one variable at once. Have you tried splitting them up and unserializing those? — , Jan 15 '11 at 07:18
Please see my solution here: http://stackoverflow.com/questions/530761/how-can-i-unserialize-session-data-to-an-arbitrary-variable-in-php/9843773#9843773 — Halcyon, Mar 23 '12 at 17:29

score 45 · Accepted Answer · edited Oct 06 '15 at 03:17

45

If you want to decode session data, use session_decode (see the manual). unserialize only decodes single variables, not session data.

You can do something like:

$file = '/var/www/html/products/var/session/sess_ciktos8icvk11grtpkj3u610o3';
$contents = file_get_contents($file);
session_start();
session_decode($contents);
print_r($_SESSION);

edited Oct 06 '15 at 03:17

Simon East

55,742
17
139
133

answered Jan 15 '11 at 07:31

StasM

10,593
6
56
103

Tried this returns bool(false) – Shakti Singh Jan 15 '11 at 07:47
try to do session_start() before decoding, then inspect $_SESSION. – StasM Jan 15 '11 at 08:01
@StasM: After adding session_start(); it is returning true but the string is also converted in numeric 1. – Shakti Singh Jan 15 '11 at 08:59
if it returns true, the values should be in $_SESSION. What is in $_SESSION after the call? – StasM Jan 15 '11 at 09:41
@StasM: Nothing in the $_SESSION and StasM I this is not resuming the session how it can show me the data in $_SESSION – Shakti Singh Jan 15 '11 at 10:29
2

While this works, and is the only officially supported way, it overwrites your existing session. – Nate Jun 06 '17 at 20:12
This only works for the *active session*, not an opened *session file*. – John Aug 09 '21 at 03:57

score 8 · Answer 2 · answered Jan 20 '13 at 16:11

Use this class:

    <?php
class Session {
    public static function unserialize($session_data) {
        $method = ini_get("session.serialize_handler");
        switch ($method) {
            case "php":
                return self::unserialize_php($session_data);
                break;
            case "php_binary":
                return self::unserialize_phpbinary($session_data);
                break;
            default:
                throw new Exception("Unsupported session.serialize_handler: " . $method . ". Supported: php, php_binary");
        }
    }

    private static function unserialize_php($session_data) {
        $return_data = array();
        $offset = 0;
        while ($offset < strlen($session_data)) {
            if (!strstr(substr($session_data, $offset), "|")) {
                throw new Exception("invalid data, remaining: " . substr($session_data, $offset));
            }
            $pos = strpos($session_data, "|", $offset);
            $num = $pos - $offset;
            $varname = substr($session_data, $offset, $num);
            $offset += $num + 1;
            $data = unserialize(substr($session_data, $offset));
            $return_data[$varname] = $data;
            $offset += strlen(serialize($data));
        }
        return $return_data;
    }

    private static function unserialize_phpbinary($session_data) {
        $return_data = array();
        $offset = 0;
        while ($offset < strlen($session_data)) {
            $num = ord($session_data[$offset]);
            $offset += 1;
            $varname = substr($session_data, $offset, $num);
            $offset += $num;
            $data = unserialize(substr($session_data, $offset));
            $return_data[$varname] = $data;
            $offset += strlen(serialize($data));
        }
        return $return_data;
    }
}
?>

Usage:

<?php
Session::unserialize(file_get_contents($sessionSavePath."/".$sessionFileName);
?>

Thats Work!

Linking to the source for this comment (credit where credit is due!): http://php.net/manual/en/function.session-decode.php#108037 — PureForm, Aug 01 '13 at 23:01
Please show how to set `$sessionSavePath` and `$sessionFileName` — Jonathan, Dec 05 '18 at 20:27
@Jonathan, you read $sessionSavePath parameter value from php.ini file and $sessionFileName parameter is generated with sessionid. Those options get from php.ini file. — Ahmet Erkan ÇELİK, Aug 29 '21 at 16:26

score 6 · Answer 3 · answered Jan 15 '11 at 07:16

That is not legal PHP serialized data, that's PHP session data.

PHP session data uses the serialized format internally, but it is not serialized data itself.

The only thing that can safely and sanely read session data is PHP's session code. It is sometimes possible to read it using a regular expression and some creative editing, but you can not rely upon those methods.

If you need data out of a user's session, your best bet is to write a custom session wrapper and let it do the work when the data itself changes rather than try and work with the data after the fact.

(I'm not talking about custom session-writing code, I'm talking about a class that you would use instead of using $_SESSION directly.)

I have tried all possible way to get the All current session on my site. Now , this is the last option I have, reading the current active session data from file and processing them. — Shakti Singh, Jan 15 '11 at 07:22

Prasanna · Answer 4 · 2011-07-07T13:01:32.213

6

Following can be a way to read session data from session file

//$file='/var/www/html/products/var/session/sess_ciktos8icvk11grtpkj3u610o3';
$sSessId = 'ciktos8icvk11grtpkj3u610o3';
session_id($sSessId);
session_start();
print_r($_SESSION);

edited Jul 07 '11 at 13:01

answered Jul 07 '11 at 12:56

Prasanna

61
1
2

score 2 · Answer 5 · edited Jul 06 '11 at 11:28

check out, this might click you something

function read($filename)
{
    session_save_path("/tmp/tst");
    session_start();
    echo    $sCurrentFile = "/tmp/tst/sess_".session_id();
    $sFileToRead = $filename;
    if( !file_exists($sFileToRead) || !$sessionData=(string)@file_get_contents($sFileToRead) )
    {
        echo "file does not exist";
    }

    $fh = fopen($sCurrentFile, 'w') or die("can't open file");
    fwrite($fh, $sessionData);
    fclose($fh);
    $_SESSION["mytest"] = 444; 
    print_r($_SESSION);
}

score -3 · Answer 6 · answered Oct 23 '13 at 11:03

-3

try Read Session Data from Session File

answered Oct 23 '13 at 11:03

Dean Williams

1
3

2

Note that [link only answers](http://meta.stackoverflow.com/tags/link-only-answers/info) are discouraged. Answers should be the end-point of a search for a solution instead of pointing to a link which often becomes stale over time. Please consider adding a stand-alone synopsis here, keeping the link as a reference. – DB5 Oct 23 '13 at 11:29

Read the session data from session storage file

6 Answers6

Linked