Bug #15551 Updated: unset($_SESSION['var']) problem with register_globals=on

[postings . php . net]

 ID:               15551
 Updated by:       [EMAIL PROTECTED]
-Summary:          unset($_SESSION['var']) problem with
                   register_globals=on
 Reported By:      [EMAIL PROTECTED]
 Status:           Bogus
 Bug Type:         Session related
 Operating System: Win32
 PHP Version:      4.1.1
 New Comment:

And how I'm supposed to write good, compatible code while I can't tell
my customers what they have to configure on their server, because my
application is not supposed to be the only one running there?

If the references would point to $_SESSION[*] and be stored in
$GLOBALS[*] instead of pointing to $_GLOBALS[*] and being stored in
$_SESSION[*], you could use $_SESSION[*] regardless of
register_globals.


Previous Comments:
------------------------------------------------------------------------

[2002-02-14 07:16:42] [EMAIL PROTECTED]

extract from the session documentation:

If register_globals is enabled, [...] users must register variables
with session_register() function.

If you are using $HTTP_SESSION_VARS/$_SESSION, do not use
session_register(), session_is_registered() and session_unregister()
unless you know internal of session module.

In other words, don't use register_globals(on) and $_SESSION together.

Regards, Marc.

------------------------------------------------------------------------

[2002-02-14 06:22:07] [EMAIL PROTECTED]

Hi F0lks,

when I use the $_SESSION array while register_globals is enabled, I
can't unregister variables as described in the documentation ( 

unset($_SESSION['var']); ), except in the script call where 'var' was
used first time.

I wrote demonstration script hoping it shows you what I mean.
(register_globals must be enabled!)


<?
session_name('testsession');
session_start();
echo '<pre>';

if( ! $_SESSION['c'] )  $_SESSION['c'] = 1;
        
echo "=== unregistering variables from session with register_globals=On
under PHP 4.1.1 ===\n";
echo "Current step: $_SESSION[c] of 5\n\n";
        
switch( $_SESSION['c'] ) {
        case 1:
                echo "Checking, if 'var' is registered - ";
                if( session_is_registered('var') ) {
                        session_destroy();
                        echo "yes. Killed session. END. (reload this page!)\n";
                        die();
                } else {
                        echo "no. Good.\n";
                }
                 
                echo "Setting \$_SESSION['var'] to 'test1' ...\n";
                $_SESSION['var'] = 'test1';
                
                varcheck( true );
                                
                break;
                
        case 2:
                varcheck( true );
                
                echo "Trying to unregister 'var' with unset(\$_SESSION['var'])
...\n";
                unset( $_SESSION['var'] );
                
                varcheck( false );
                
                echo "\$_SESSION['var'] isn't anymore now, so it shouldn't exist on
the next step.\n";  
                break;
                
        case 3:
                varcheck( true );
                
                echo "Here it is again, damn!\n";
                echo "Trying to get rid of it with session_unregister('var') ...\n";
                
                session_unregister('var');
                varcheck( false );
                
                echo "Maybe, this time, it won't come back ...\n";
                break;

        case 4:
                varcheck( false );
                echo "It worked, \$_SESSION['var'] is dead ...\n";
                echo "so let's try registering and unregistering in one (this) script
call.\n\n";
                
                echo "Setting \$_SESSION['var'] to 'test2' ...\n";
                $_SESSION['var'] = 'test2';
                varcheck( true );
                
                echo "Trying to unregister 'var' with
unset(\$_SESSION['var'])...\n";
                unset( $_SESSION['var'] );
                
                varcheck( false );              
                break;          
                
        case 5:
                varcheck( false );
                echo "No \$_SESSION['var'] ...\n\n";

                echo
'I think, I can explain this behaviour.

When you register a variable by $_SESSION[\'varname\']=\'something\';
$_SESSION[\'varname\'] is a string. When the script reacheas its end,
it
sees no $GLOBALS[\'varname\'] to save (register_globals=On!) so it
takes
$_SESSION[\'varname\'].

When calling the script again, \'varname\' will be restored from
session
to $GLOBALS[\'varname\']. Then a reference to $GLOBALS[\'varname\']
will
be created in $_SESSION[\'varname\']. unset($_SESSION[\'varname\']
would
only delete the reference to $GLOBALS[\'varname\'] ...

My suggestion to the php developers:
When register_globals=On restore variables from session to 
$_SESSION[\'varname\'] and store a reference to it in
$GLOBALS[\'varname\'].
';
                // don't need break; here ...
        
        default:
                session_destroy();
                echo "\n- - -\nSession killed. END. (reload to start again)\n";
                die();
}

$_SESSION['c'] += 1;
echo "</pre><a href=\"$PHP_SELF\">next</a>";

function varcheck( $y, $ignore=false )
{
        $x = isset( $_SESSION['var'] );
        if( $x ) {
                echo "\$_SESSION['var'] is now: ";
                var_dump( $_SESSION['var'] );
        } else
                echo "\$_SESSION['var'] is not set.\n";
                
        if( $x != $y and !$ignore ) {
                echo "... this shouldn't happen, maybe your php.ini differs from
mine.\n";
                echo "    feel free to contact me
&lt;[EMAIL PROTECTED]&gt;\n";
                die();
        } 
}


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=15551&edit=1