From 9a714b38f881b699e7128ee2416d2831e6b2a6dd Mon Sep 17 00:00:00 2001
From: Bogdan <matolq@gmail.com>
Date: Tue, 9 Jun 2026 19:44:20 +0200
Subject: [PATCH 1/5] fix: protect internal session keys in set and __set
 methods

---
 system/Session/Session.php           |  8 ++++++++
 tests/system/Session/SessionTest.php | 24 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/system/Session/Session.php b/system/Session/Session.php
index 1c3824928775..a10e92926f79 100644
--- a/system/Session/Session.php
+++ b/system/Session/Session.php
@@ -303,6 +303,10 @@ public function set($data, $value = null)
         }
 
         foreach ($data as $sessionKey => $sessionValue) {
+            if (is_string($sessionKey) && str_starts_with($sessionKey, '__ci_')) {
+                continue;
+            }
+
             $_SESSION[$sessionKey] = $sessionValue;
         }
     }
@@ -370,6 +374,10 @@ public function remove($key)
      */
     public function __set(string $key, $value)
     {
+        if (str_starts_with($key, '__ci_')) {
+            return;
+        }
+
         $_SESSION[$key] = $value;
     }
 
diff --git a/tests/system/Session/SessionTest.php b/tests/system/Session/SessionTest.php
index 3b7cd3860ccd..7b936ace3b54 100644
--- a/tests/system/Session/SessionTest.php
+++ b/tests/system/Session/SessionTest.php
@@ -328,6 +328,30 @@ public function testSetMagicMethod(): void
         $this->assertSame('bar', $_SESSION['foo']);
     }
 
+    public function testSetIgnoresCiVars(): void
+    {
+        $session = $this->getInstance();
+        $session->start();
+
+        $session->set('__ci_vars', 'malicious');
+        $session->set('__ci_last_regenerate', 'malicious');
+
+        $this->assertArrayNotHasKey('__ci_vars', $_SESSION);
+        $this->assertNotSame('malicious', $_SESSION['__ci_last_regenerate']);
+    }
+
+    public function testSetMagicMethodIgnoresCiVars(): void
+    {
+        $session = $this->getInstance();
+        $session->start();
+
+        $session->__ci_vars = 'malicious'; // @phpstan-ignore property.notFound
+        $session->__ci_last_regenerate = 'malicious'; // @phpstan-ignore property.notFound
+
+        $this->assertArrayNotHasKey('__ci_vars', $_SESSION);
+        $this->assertNotSame('malicious', $_SESSION['__ci_last_regenerate']);
+    }
+
     public function testCanFlashData(): void
     {
         $session = $this->getInstance();

From f6ec096f8aff2113c966d8c6d7c966a91b32bb8b Mon Sep 17 00:00:00 2001
From: Bogdan <matolq@gmail.com>
Date: Tue, 9 Jun 2026 21:29:37 +0200
Subject: [PATCH 2/5] style: fix coding style per CS Fixer

---
 tests/system/Session/SessionTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/system/Session/SessionTest.php b/tests/system/Session/SessionTest.php
index 7b936ace3b54..e53a44a6b61e 100644
--- a/tests/system/Session/SessionTest.php
+++ b/tests/system/Session/SessionTest.php
@@ -345,7 +345,7 @@ public function testSetMagicMethodIgnoresCiVars(): void
         $session = $this->getInstance();
         $session->start();
 
-        $session->__ci_vars = 'malicious'; // @phpstan-ignore property.notFound
+        $session->__ci_vars            = 'malicious'; // @phpstan-ignore property.notFound
         $session->__ci_last_regenerate = 'malicious'; // @phpstan-ignore property.notFound
 
         $this->assertArrayNotHasKey('__ci_vars', $_SESSION);

From 5775830aa4d5d3c0714eb8e8944274eb32a17be9 Mon Sep 17 00:00:00 2001
From: Bogdan <matolq@gmail.com>
Date: Tue, 9 Jun 2026 21:42:40 +0200
Subject: [PATCH 3/5] chore: trigger CI tests


From b389e45f4ff07ee4ad60d06f03f89168bbff0195 Mon Sep 17 00:00:00 2001
From: Bogdan Lambarski <matolq@gmail.com>
Date: Tue, 9 Jun 2026 23:52:29 +0200
Subject: [PATCH 4/5] Update system/Session/Session.php

Co-authored-by: Michal Sniatala <michal@sniatala.pl>
---
 system/Session/Session.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/system/Session/Session.php b/system/Session/Session.php
index a10e92926f79..838012784699 100644
--- a/system/Session/Session.php
+++ b/system/Session/Session.php
@@ -304,6 +304,9 @@ public function set($data, $value = null)
 
         foreach ($data as $sessionKey => $sessionValue) {
             if (is_string($sessionKey) && str_starts_with($sessionKey, '__ci_')) {
+                log_message('warning', 'Session key "{key}" is reserved for framework use and was not set.', [
+                    'key' => $key,
+                ]);
                 continue;
             }
 

From 37d9b15cac53238f08ac62e156256b0be52e4f47 Mon Sep 17 00:00:00 2001
From: Bogdan <matolq@gmail.com>
Date: Wed, 10 Jun 2026 00:43:19 +0200
Subject: [PATCH 5/5] fix coding style per CS Fixer

---
 system/Session/Session.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/system/Session/Session.php b/system/Session/Session.php
index 838012784699..c1db491cb4d1 100644
--- a/system/Session/Session.php
+++ b/system/Session/Session.php
@@ -305,8 +305,9 @@ public function set($data, $value = null)
         foreach ($data as $sessionKey => $sessionValue) {
             if (is_string($sessionKey) && str_starts_with($sessionKey, '__ci_')) {
                 log_message('warning', 'Session key "{key}" is reserved for framework use and was not set.', [
-                    'key' => $key,
+                    'key' => $sessionKey,
                 ]);
+
                 continue;
             }