ID: 15909
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Session related
Operating System: Linux Gnu 2.2.12
PHP Version: 4.1.2
New Comment:
Any attempt I have made to save session variables in 4.1.2 fails now.
I can replace my php version with 4.1.1 and it works fine. I have
noticed that the session files are created in the temporary directory,
but while they contain the encode session data in php 4.1.1, they are 0
byte files in php 4.1.2. I am using IIS5.0 on Win2k. This fails in
both the CGI and ISAPI version. I can reproduce it every time simply
by stopping IIS, replacing php.exe, php4isapi.dll, php4ts.dll, and
php4ts.lib, restarting IIS, and trying it. No changes to code and no
changes to php.ini. Not even the php session manual's sample for
showing the number of times you have visited a page works!! I really
want this security fix, but I can't upgrade to it if it's going to
break sessions.
I do run a "slightly" (not where it really counts) modified php.ini
that resembles the php.ini-recommended in almost every respect.
I think this a glaringly obvious bug and can't imagine it can't be
reproduced, just try the sample - I have confirmed and reproduced this
bug on THREE IIS5.0 Win2k platforms.
Previous Comments:
------------------------------------------------------------------------
[2002-03-09 22:37:59] [EMAIL PROTECTED]
According to the session docs:
If you have register_globals On, you have to use session_register()
If you have register_globals Off, $_SESSION['var'] = 123 will register
it
That means that you have to switch everything over to the $_ vars and
turn off register_globals before sessions work correctly (because the
$_REQUEST[], or user input, vars won't be available globally any
more).
If I'm wrong, let me know :)
------------------------------------------------------------------------
[2002-03-08 15:06:06] [EMAIL PROTECTED]
I experienced a similar problem (PHP 4.1.2, Linux 2.2.19-6.2.11)
Works:
onepage.php
-----------
session_register("newvar");
$newvar = 123;
header("Location: somepage.php");
somepage.php
------------
echo $_SESSION["newvar"]; //echoes 123
Doesn't work:
onepage.php
-----------
$_SESSION["newvar"] = 123;
header("Location: somepage.php");
somepage.php
------------
echo $_SESSION["newvar"]; //"newvar" isn't set here
------------------------------------------------------------------------
[2002-03-06 14:56:41] [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]
FYI, The code I'm working with uses a single session array variable
(with many elements) and a library routine to do page jumps.
Consequently I was able to fix this problem on all my pages by adding
one line of code to the pagejump library routine.
------------------------------------------------------------------------
[2002-03-06 14:38:42] [EMAIL PROTECTED]
Just wanted to confirm I also experienced this problem after upgrading
to 4.1.2 for the security fix, so it's not an option to go back to an
older version of PHP.
The suggested $_SESSION[S][X] work around fixed my shopping cart but
this is going to be a huge chore to fix the entire site.
Is there an ETA on this fix?
------------------------------------------------------------------------
[2002-03-06 13:11:34] [EMAIL PROTECTED]
Several pages that worked in PHP 4.0.2 no longer work in 4.1.2. The
problem is that values added to a global session variable array just
before jumping to another page are not being stored.
For example, on page courses.php the user selects a course from a list.
The code for the course is stored in a session variable $S[event_code],
and the code pagejumps (by calling a library routine that calls
header()) to page course.php, to display data for that particular
course. The problem is, the value $S[event_code] no longer exists when
we get to the second page (course.php).
I can see the value in $S[event_code] if I var_dump($S) before the
pagejump in courses.php. If I var_dump($S) just after arriving in page
course.php, I see the other contents of the $S array but not
$S[event_code].
Array $S is global and each page begins with
session_register("S");
The update takes place within a function that declares $S as global.
If I replace
$S[event_code] = $event_code;
with
$_SESSION[S][event_code] = $event_code;
the value is passed.
PHP options enable_track_vars and register_globals are ON,
session.save_handler is files, session.serialize_handler is php.
Thank you.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=15909&edit=1
