ID: 15909 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Session related Operating System: Linux Gnu 2.2.12 PHP Version: 4.1.2 New Comment:
Any attempt I have made to save session variables in 4.1.2 fails now. I can replace my php version with 4.1.1 and it works fine. I have noticed that the session files are created in the temporary directory, but while they contain the encode session data in php 4.1.1, they are 0 byte files in php 4.1.2. I am using IIS5.0 on Win2k. This fails in both the CGI and ISAPI version. I can reproduce it every time simply by stopping IIS, replacing php.exe, php4isapi.dll, php4ts.dll, and php4ts.lib, restarting IIS, and trying it. No changes to code and no changes to php.ini. Not even the php session manual's sample for showing the number of times you have visited a page works!! I really want this security fix, but I can't upgrade to it if it's going to break sessions. I do run a "slightly" (not where it really counts) modified php.ini that resembles the php.ini-recommended in almost every respect. I think this a glaringly obvious bug and can't imagine it can't be reproduced, just try the sample - I have confirmed and reproduced this bug on THREE IIS5.0 Win2k platforms. Previous Comments: ------------------------------------------------------------------------ [2002-03-09 22:37:59] [EMAIL PROTECTED] According to the session docs: If you have register_globals On, you have to use session_register() If you have register_globals Off, $_SESSION['var'] = 123 will register it That means that you have to switch everything over to the $_ vars and turn off register_globals before sessions work correctly (because the $_REQUEST[], or user input, vars won't be available globally any more). If I'm wrong, let me know :) ------------------------------------------------------------------------ [2002-03-08 15:06:06] [EMAIL PROTECTED] I experienced a similar problem (PHP 4.1.2, Linux 2.2.19-6.2.11) Works: onepage.php ----------- session_register("newvar"); $newvar = 123; header("Location: somepage.php"); somepage.php ------------ echo $_SESSION["newvar"]; //echoes 123 Doesn't work: onepage.php ----------- $_SESSION["newvar"] = 123; header("Location: somepage.php"); somepage.php ------------ echo $_SESSION["newvar"]; //"newvar" isn't set here ------------------------------------------------------------------------ [2002-03-06 14:56:41] [EMAIL PROTECTED] Re: [EMAIL PROTECTED] FYI, The code I'm working with uses a single session array variable (with many elements) and a library routine to do page jumps. Consequently I was able to fix this problem on all my pages by adding one line of code to the pagejump library routine. ------------------------------------------------------------------------ [2002-03-06 14:38:42] [EMAIL PROTECTED] Just wanted to confirm I also experienced this problem after upgrading to 4.1.2 for the security fix, so it's not an option to go back to an older version of PHP. The suggested $_SESSION[S][X] work around fixed my shopping cart but this is going to be a huge chore to fix the entire site. Is there an ETA on this fix? ------------------------------------------------------------------------ [2002-03-06 13:11:34] [EMAIL PROTECTED] Several pages that worked in PHP 4.0.2 no longer work in 4.1.2. The problem is that values added to a global session variable array just before jumping to another page are not being stored. For example, on page courses.php the user selects a course from a list. The code for the course is stored in a session variable $S[event_code], and the code pagejumps (by calling a library routine that calls header()) to page course.php, to display data for that particular course. The problem is, the value $S[event_code] no longer exists when we get to the second page (course.php). I can see the value in $S[event_code] if I var_dump($S) before the pagejump in courses.php. If I var_dump($S) just after arriving in page course.php, I see the other contents of the $S array but not $S[event_code]. Array $S is global and each page begins with session_register("S"); The update takes place within a function that declares $S as global. If I replace $S[event_code] = $event_code; with $_SESSION[S][event_code] = $event_code; the value is passed. PHP options enable_track_vars and register_globals are ON, session.save_handler is files, session.serialize_handler is php. Thank you. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=15909&edit=1