Edit report at https://bugs.php.net/bug.php?id=31369&edit=1
ID: 31369 Updated by: yohg...@php.net Reported by: baafie at planet dot nl Summary: session_destroy() and/or session_write_close() should unregister URL handler -Status: Assigned +Status: Wont fix Type: Feature/Change Request Package: Session related Operating System: Linux Red hat 9 -2.4.20 PHP Version: 4.3.10 Assigned To: sas Block user comment: N Private report: N New Comment: We are sorry, but we can not support PHP 4 related problems anymore. Previous Comments: ------------------------------------------------------------------------ [2005-01-17 18:38:51] sni...@php.net Assigning to the author of ext/session who can explain this / change it if he wishes. ------------------------------------------------------------------------ [2005-01-17 02:38:09] destes at ix dot netcom dot com This is a potential security issue, since I read the manual as describing the behavior this bug expects (whereas the experienced behavior is very different). The ability to keep session data private (especially SIDs) is very important and I don't think the developers intended trans-sid to extend beyond the use of sessions in a script (i.e., beyond where the session has been destroyed). On a sidenote, you can avoid having trans-sid append your links by using absolute (rather than relative) URLs. I recommend that the original submitter changes this back from Bogus, absolutely zero explanation was given as to why this isn't a bug, and I (personally) happen to disagree. -Steve ------------------------------------------------------------------------ [2004-12-31 16:33:49] baafie at planet dot nl Description: ------------ According to the php manual, session_start() will register internal output handler for URL rewriting when trans-sid is enabled. Should session_destroy() and/or session_write_close() not unregister this handler? Reproduce code: --------------- <?php ini_set ('session.use_trans_sid','1'); session_start(); echo '<a href="index.php">a page</a>\n'; session_destroy(); echo '<a href="index.php">a page</a>'; ?> Expected result: ---------------- Only the link that was printed before session_destroy() should contain the session ID: <a href="index.php?PHPSESSID=2382309823823...">a page</a> <a href="index.php">a page</a> Actual result: -------------- Both URLs contain the session ID; <a href="index.php?PHPSESSID=2382309823823...">a page</a> <a href="index.php?PHPSESSID=2382309823823...">a page</a> ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=31369&edit=1