Switch from cookie sessions to database sessions. We can't use cookie

sessions; it encodes all the value into the cookie which means
little/no security, transfer costs, and storage limits.

4 files changed, 65 insertions, 13 deletions

diff --git a/core/config/session.php b/core/config/session.php
new file mode 100644
index 00000000..56498316
--- /dev/null
+++ b/core/config/session.php
@@ -0,0 +1,47 @@
+<?php defined('SYSPATH') OR die('No direct access allowed.');
+/**
+ * @package Session
+ *
+ * Session driver name.
+ */
+$config['driver'] = 'database';
+
+/**
+ * Session storage parameter, used by drivers.
+ */
+$config['storage'] = '';
+
+/**
+ * Session name.
+ * It must contain only alphanumeric characters and underscores. At least one letter must be present.
+ */
+$config['name'] = 'g3sid';
+
+/**
+ * Session parameters to validate: user_agent, ip_address, expiration.
+ */
+$config['validate'] = array('user_agent');
+
+/**
+ * Enable or disable session encryption.
+ * Note: this has no effect on the native session driver.
+ * Note: the cookie driver always encrypts session data. Set to TRUE for stronger encryption.
+ */
+$config['encryption'] = FALSE;
+
+/**
+ * Session lifetime. Number of seconds that each session will last.
+ * A value of 0 will keep the session active until the browser is closed (with a limit of 24h).
+ */
+$config['expiration'] = 604800; // 7 days
+
+/**
+ * Number of page loads before the session id is regenerated.
+ * A value of 0 will disable automatic session id regeneration.
+ */
+$config['regenerate'] = 100;
+
+/**
+ * Percentage probability that the gc (garbage collection) routine is started.
+ */
+$config['gc_probability'] = 2;
\ No newline at end of file
diff --git a/core/controllers/welcome.php b/core/controllers/welcome.php
index b341b1af..9ac22318 100644
--- a/core/controllers/welcome.php
+++ b/core/controllers/welcome.php
@@ -21,7 +21,11 @@ class Welcome_Controller extends Template_Controller {
   public $template = "welcome.html";
 
   function index() {
-    Session::instance();
+    try {
+      $session = Session::instance();
+    } catch (Exception $e) {
+    }
+
     $this->template->syscheck = new View("welcome_syscheck.html");
     $this->template->syscheck->errors = $this->_get_config_errors();
     $this->template->syscheck->modules = array();
@@ -52,7 +56,7 @@ class Welcome_Controller extends Template_Controller {
 
     $this->_create_directories();
 
-    if (Session::instance()->get("profiler", false)) {
+    if (!empty($session) && $session->get("profiler", false)) {
       $profiler = new Profiler();
       $profiler->render();
     }
diff --git a/core/helpers/core_installer.php b/core/helpers/core_installer.php
index de4c51d9..f71bec6d 100644
--- a/core/helpers/core_installer.php
+++ b/core/helpers/core_installer.php
@@ -82,6 +82,13 @@ class core_installer {
                    UNIQUE KEY(`name`))
                  ENGINE=InnoDB DEFAULT CHARSET=utf8;");
 
+      $db->query("CREATE TABLE `sessions` (
+		  `session_id` varchar(127) NOT NULL,
+		  `last_activity` int(10) UNSIGNED NOT NULL,
+		  `data` text NOT NULL,
+		  PRIMARY KEY (`session_id`))
+                 ENGINE=InnoDB DEFAULT CHARSET=utf8;");
+
       $db->query("CREATE TABLE `vars` (
                    `id` int(9) NOT NULL auto_increment,
                    `module_id` int(9),
diff --git a/core/helpers/module.php b/core/helpers/module.php
index 5713901d..c26a8257 100644
--- a/core/helpers/module.php
+++ b/core/helpers/module.php
@@ -116,9 +116,11 @@ class module_Core {
     // Do The Right Thing.
     //
     // @todo get rid of this extra error checking when we have an installer.
-    set_error_handler(array("module", "_dummy_error_handler"));
-    $modules = ORM::factory("module")->find_all();
-    restore_error_handler();
+    try {
+      $modules = ORM::factory("module")->find_all();
+    } catch (Exception $e) {
+      return;
+    }
 
     // Reload module list from the config file since we'll do a refresh after calling install()
     $core = Kohana::config_load('core');
@@ -164,12 +166,4 @@ class module_Core {
     $var->value = $value;
     $var->save();
   }
-
-  /**
-   * Dummy error handler used in module::load_modules.
-   *
-   * @todo remove this when we have an installer.
-   */
-  public static function _dummy_error_handler() {
-  }
 }