ID: 15909
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Session related
Operating System: Linux Gnu 2.2.12
PHP Version: 4.1.2
New Comment:
Interesting workaround:
session_register("lastaction");
session_register("userip");
session_register("lines"); // etc etc
$HTTP_SESSION_VARS["xx"] = "Anything"; // this is the magic bit
Although xx isn't a registered session var, and doesn't get stored in
the session, it seems to stimulate PHP to update the session vars in
the file!
With that addition, my apps now work fine under 4.1.2.. (Win 2k, Apache
1.3.23)
John
Previous Comments:
------------------------------------------------------------------------
[2002-03-18 11:19:08] [EMAIL PROTECTED]
Here is part of what is going wrong. PHP starts out with each session
variable appearing as a global and also in $_SESSION. Initially these
are linked by reference (not clear how) and contain the same data. On
my pages this linkage appears to get broken so the contents
$GLOBALS['S']
and $_SESSION['S'] are not the same. $GLOBALS contains the latest data,
$_SESSION contains the data as of the start of the page. Consequently
changes to the $_SESSION variable are not being saved between pages.
My work around is to use the following at the end of each page for $S:
if ( !($_SESSION['S'] === $S) )
$_SESSION['S'] = $S;
This updates the contents of the $_SESSION variable if it is not longer
the same as the global.
Based on a comment from one of the developers, the problem may relate
to having a global declaration for a session variable that appears
outside a function scope. I have these declarations on each of my pages
because PHP used to require them.
------------------------------------------------------------------------
[2002-03-14 10:14:03] [EMAIL PROTECTED]
Any attempt I have made to save session variables in 4.1.2 fails now.
I can replace my php version with 4.1.1 and it works fine. I have
noticed that the session files are created in the temporary directory,
but while they contain the encode session data in php 4.1.1, they are 0
byte files in php 4.1.2. I am using IIS5.0 on Win2k. This fails in
both the CGI and ISAPI version. I can reproduce it every time simply
by stopping IIS, replacing php.exe, php4isapi.dll, php4ts.dll, and
php4ts.lib, restarting IIS, and trying it. No changes to code and no
changes to php.ini. Not even the php session manual's sample for
showing the number of times you have visited a page works!! I really
want this security fix, but I can't upgrade to it if it's going to
break sessions.
I do run a "slightly" (not where it really counts) modified php.ini
that resembles the php.ini-recommended in almost every respect.
I think this a glaringly obvious bug and can't imagine it can't be
reproduced, just try the sample - I have confirmed and reproduced this
bug on THREE IIS5.0 Win2k platforms.
------------------------------------------------------------------------
[2002-03-09 22:37:59] [EMAIL PROTECTED]
According to the session docs:
If you have register_globals On, you have to use session_register()
If you have register_globals Off, $_SESSION['var'] = 123 will register
it
That means that you have to switch everything over to the $_ vars and
turn off register_globals before sessions work correctly (because the
$_REQUEST[], or user input, vars won't be available globally any
more).
If I'm wrong, let me know :)
------------------------------------------------------------------------
[2002-03-08 15:06:06] [EMAIL PROTECTED]
I experienced a similar problem (PHP 4.1.2, Linux 2.2.19-6.2.11)
Works:
onepage.php
-----------
session_register("newvar");
$newvar = 123;
header("Location: somepage.php");
somepage.php
------------
echo $_SESSION["newvar"]; //echoes 123
Doesn't work:
onepage.php
-----------
$_SESSION["newvar"] = 123;
header("Location: somepage.php");
somepage.php
------------
echo $_SESSION["newvar"]; //"newvar" isn't set here
------------------------------------------------------------------------
[2002-03-06 14:56:41] [EMAIL PROTECTED]
Re: [EMAIL PROTECTED]
FYI, The code I'm working with uses a single session array variable
(with many elements) and a library routine to do page jumps.
Consequently I was able to fix this problem on all my pages by adding
one line of code to the pagejump library routine.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/15909
--
Edit this bug report at http://bugs.php.net/?id=15909&edit=1
