#45380 [NEW]: Access multiple sessions in a request

[jerome dot auge at anakeen dot com]

From:             jerome dot auge at anakeen dot com
Operating system: Linux
PHP version:      5.2.6
PHP Bug Type:     Session related
Bug description:  Access multiple sessions in a request

Description:
------------
I want to access two distinct sessions content, but I only get access to 
the first session, and the second session_name/session_start does not 
change the content of the $_SESSION variable which remains the same as 
the first one.

After investigation, when switching session with a call to 
session_name('another_session')+session_start(), the session ID from the 
first session_start() is re-used, and the sess ID from the new session 
name 'another_session' is not used.

Reproduce code:
---------------
1) Call 'set_sess1.php' to set a session named 'sess1':

<?php
session_name('sess1');
session_start();
$session_id = session_id();
$cookie = $_COOKIE['sess1'];
$_SESSION['sess1']='session1:'.$session_id;
print "cookie = ".$cookie."\n";
print "session_id = ".$session_id."\n";
print "_SESSION = ".$_SESSION['sess1']."\n";
session_write_close();
?>

2) Call 'set_sess2.php' to set a session named 'sess2':

<?php
session_name('sess2');
session_start();
$session_id = session_id();
$cookie = $_COOKIE['sess2'];
$_SESSION['sess2']='session2:'.$session_id;
print "cookie = ".$cookie."\n";
print "session_id = ".$session_id."\n";
print "_SESSION = ".$_SESSION['sess2']."\n";
session_write_close();
?>

3) Try to access both session variables in 'get_sess.php':

<?php
session_name('sess1');
session_start();
$sess1 = $_SESSION['sess1'];
session_write_close();

session_name('sess2');
session_start();
$sess2 = $_SESSION['sess2'];
session_write_close();

foreach ($_COOKIE as $k => $v) {
        print "_COOKIE[$k] = $v\n";
}
print "sess1 = $sess1\n";
print "sess2 = $sess2\n";
?>

Expected result:
----------------
In 'get_sess.php', I expect to get access to the content of the 'sess2' 
session by issuing a new session_name('sess2')+session_start(), but the 
content of _SESSION remains the one from 'sess1'.

Expected output from 'get_sess.php':

  _COOKIE[sess1] = n0f57lap2oabeqvfc6t6c0ap60
  _COOKIE[sess2] = b4s2sr976f4qrbkimfh0i6kqm0
  sess1 = session1:n0f57lap2oabeqvfc6t6c0ap60
  sess2 = session2:b4s2sr976f4qrbkimfh0i6kqm0

Actual result:
--------------
Actuel output from 'get_sess.php':

  _COOKIE[sess1] = 2ot2t22ccq0t9de2edhgcrh4h4
  _COOKIE[sess2] = rt8jr3e6esvmp88id0e4o05091
  sess1 = session1:2ot2t22ccq0t9de2edhgcrh4h4
  sess2 =

The script also issue a "Set-Cookie: sess2=<value_from_sess1>", and I 
end up with the cookies 'sess1' and 'sess2' having the same ID.

I got around it by setting the session ID manually with 
session_id($_COOKIE['new_session']), after calling 
session_name('new_session') and before session_start()... but I was 
expecting PHP to handle this automatically...

So here is a proposal patch to de-allocate PS(id) when calling 
session_write_close(), in order to force session_start() to lookup the 
session ID from the session name:

--8<--
--- php-5.2.6.orig/ext/session/session.c        2008-04-29 
16:42:38.000000000 +0200
+++ php-5.2.6/ext/session/session.c     2008-06-27 18:29:05.000000000 
+0200
@@ -933,6 +933,11 @@
 
        if (PS(mod_data))
                PS(mod)->s_close(&PS(mod_data) TSRMLS_CC);
+
+       if (PS(id)) {
+               efree(PS(id));
+               PS(id) = NULL;
+       }
 }
 
 static char *month_names[] = {
-->8-- 


-- 
Edit bug report at http://bugs.php.net/?id=45380&edit=1
-- 
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=45380&r=trysnapshot52
Try a CVS snapshot (PHP 5.3): 
http://bugs.php.net/fix.php?id=45380&r=trysnapshot53
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=45380&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=45380&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=45380&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=45380&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=45380&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=45380&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=45380&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=45380&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=45380&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=45380&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=45380&r=globals
PHP 4 support discontinued:   http://bugs.php.net/fix.php?id=45380&r=php4
Daylight Savings:             http://bugs.php.net/fix.php?id=45380&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=45380&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=45380&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=45380&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=45380&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=45380&r=mysqlcfg