Edit report at https://bugs.php.net/bug.php?id=49326&edit=1
ID: 49326 Updated by: [email protected] Reported by: k dot triendl at m-box dot at Summary: output_buffering can break unsecure transparent automatic SID adding -Status: Feedback +Status: No Feedback Type: Bug Package: Session related Operating System: windows xp sp3 PHP Version: 5.2.10 New Comment: No feedback was provided. The bug is being suspended because we assume that you are no longer experiencing the problem. If this is not the case and you are able to provide the information that was requested earlier, please do so and change the status of the bug back to "Open". Thank you. Previous Comments: ------------------------------------------------------------------------ [2012-03-29 09:25:01] [email protected] Please try using this snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ ------------------------------------------------------------------------ [2009-09-18 14:07:37] k dot triendl at m-box dot at Well, this is no satisfactory answer, I feel. There are situations where cookies can't be used; cookies are bound to a path. If one sets them for the root '/' then the session information is valid for the whole path. No other session can be created without destroying the old one. Users wouldn't be able to login into different databases at the same time or with different user credentials. Also, I don't see so much the security risk with SIDs in URLs as information via our application is read-only to the public and will be changed only in intranets. Additionally, sessions are time-limited. No matter the security risks it should be up to the application to decide whether it matters or not. Cookies have their own flaws. PHP offers the feature to append the SID automatically and therefore I'm urging that this bug gets fixed (php 5.3.x might have the same bug), otherwise the feature should be deprecated. Adding the SID manually is a tedious and error-prone work. ------------------------------------------------------------------------ [2009-09-16 08:02:00] [email protected] You should really add the SID "manually" anyway, using session.use_trans_sid should be avoided always when your site is anything else but some intranet. (might be fixed, propably won't be ever) ------------------------------------------------------------------------ [2009-09-15 14:41:46] k dot triendl at m-box dot at Reproduce code: --------------- I've prepared a test case without external requirements: http://www.m-box.at/phpbug_49326/phpbug_49326.php.txt http://www.m-box.at/phpbug_49326/phpbug_49326.html.inc phpbug_49326.php.txt is the php script, remove the .txt extension; phpbug_49326.html.inc is the file included by the php script. Be sure to set 'output_buffering' to 4096 in the php.ini or the .htaccess file. Expected result: ---------------- correct link to 'Impressum': <a href="imprint.m-box?setmgrname=mboxobj&fcardid=4&reffcardid=3&PHPSESSID=bouq4a3sddqfeqp4hrobr4bur0>Impressum</a> Actual result: -------------- incorrect link to 'Impressum': <a href="imprint.m-box?setmgrname=mboxobj&fcardid=4&reffcardid=3"?PHPSESSID=bouq4a3sddqfeqp4hrobr4bur0>Impressum</a> ------------------------------------------------------------------------ [2009-09-04 11:41:36] [email protected] Please provide a proper test case which does not have any external requirements. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=49326 -- Edit this bug report at https://bugs.php.net/bug.php?id=49326&edit=1
