ID: 24781 User updated by: spagmoid at yahoo dot com Reported By: spagmoid at yahoo dot com Status: Open Bug Type: Session related Operating System: All PHP Version: 4.3.2 New Comment:
Note: It also only happens right when sessions are first created, that way the page currently being viewed has no SID, but all the links in it do contain the SID. Tricky and evil. Previous Comments: ------------------------------------------------------------------------ [2003-07-24 10:12:22] spagmoid at yahoo dot com Sorry, there's no way I can subject our site to this risk again. I just thought I would notify about this problem. I believe what happened was proxy servers started cacheing pages that has SID's in the links. This caused users to start pouring in with identical SID's (different on each proxy, we surmise). It only happened to AOL users. It took 12 hours of hell just to figure out what was going on. Maybe a note in the session section of the manual that this can happen would help.. ------------------------------------------------------------------------ [2003-07-23 22:13:32] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip ------------------------------------------------------------------------ [2003-07-23 19:20:57] spagmoid at yahoo dot com Description: ------------ Our SID's have been leaking out today and becoming shared between 5+ users at once, causing massive corruption. Our theory is that session.use_only_cookies does not always work. It sometimes allows the SID to propagate in URL when cookies are disabled (noticed in Netscape not IE for some reason). ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=24781&edit=1
