ID: 15909 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Session related Operating System: Linux Gnu 2.2.12 PHP Version: 4.1.2 New Comment:
Here is part of what is going wrong. PHP starts out with each session variable appearing as a global and also in $_SESSION. Initially these are linked by reference (not clear how) and contain the same data. On my pages this linkage appears to get broken so the contents $GLOBALS['S'] and $_SESSION['S'] are not the same. $GLOBALS contains the latest data, $_SESSION contains the data as of the start of the page. Consequently changes to the $_SESSION variable are not being saved between pages. My work around is to use the following at the end of each page for $S: if ( !($_SESSION['S'] === $S) ) $_SESSION['S'] = $S; This updates the contents of the $_SESSION variable if it is not longer the same as the global. Based on a comment from one of the developers, the problem may relate to having a global declaration for a session variable that appears outside a function scope. I have these declarations on each of my pages because PHP used to require them. Previous Comments: ------------------------------------------------------------------------ [2002-03-14 10:14:03] [EMAIL PROTECTED] Any attempt I have made to save session variables in 4.1.2 fails now. I can replace my php version with 4.1.1 and it works fine. I have noticed that the session files are created in the temporary directory, but while they contain the encode session data in php 4.1.1, they are 0 byte files in php 4.1.2. I am using IIS5.0 on Win2k. This fails in both the CGI and ISAPI version. I can reproduce it every time simply by stopping IIS, replacing php.exe, php4isapi.dll, php4ts.dll, and php4ts.lib, restarting IIS, and trying it. No changes to code and no changes to php.ini. Not even the php session manual's sample for showing the number of times you have visited a page works!! I really want this security fix, but I can't upgrade to it if it's going to break sessions. I do run a "slightly" (not where it really counts) modified php.ini that resembles the php.ini-recommended in almost every respect. I think this a glaringly obvious bug and can't imagine it can't be reproduced, just try the sample - I have confirmed and reproduced this bug on THREE IIS5.0 Win2k platforms. ------------------------------------------------------------------------ [2002-03-09 22:37:59] [EMAIL PROTECTED] According to the session docs: If you have register_globals On, you have to use session_register() If you have register_globals Off, $_SESSION['var'] = 123 will register it That means that you have to switch everything over to the $_ vars and turn off register_globals before sessions work correctly (because the $_REQUEST[], or user input, vars won't be available globally any more). If I'm wrong, let me know :) ------------------------------------------------------------------------ [2002-03-08 15:06:06] [EMAIL PROTECTED] I experienced a similar problem (PHP 4.1.2, Linux 2.2.19-6.2.11) Works: onepage.php ----------- session_register("newvar"); $newvar = 123; header("Location: somepage.php"); somepage.php ------------ echo $_SESSION["newvar"]; //echoes 123 Doesn't work: onepage.php ----------- $_SESSION["newvar"] = 123; header("Location: somepage.php"); somepage.php ------------ echo $_SESSION["newvar"]; //"newvar" isn't set here ------------------------------------------------------------------------ [2002-03-06 14:56:41] [EMAIL PROTECTED] Re: [EMAIL PROTECTED] FYI, The code I'm working with uses a single session array variable (with many elements) and a library routine to do page jumps. Consequently I was able to fix this problem on all my pages by adding one line of code to the pagejump library routine. ------------------------------------------------------------------------ [2002-03-06 14:38:42] [EMAIL PROTECTED] Just wanted to confirm I also experienced this problem after upgrading to 4.1.2 for the security fix, so it's not an option to go back to an older version of PHP. The suggested $_SESSION[S][X] work around fixed my shopping cart but this is going to be a huge chore to fix the entire site. Is there an ETA on this fix? ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/15909 -- Edit this bug report at http://bugs.php.net/?id=15909&edit=1