ID: 24781 Updated by: [EMAIL PROTECTED] Reported By: spagmoid at yahoo dot com -Status: Open +Status: Bogus Bug Type: Session related Operating System: All PHP Version: 4.3.2 New Comment:
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php The error you are seeing is likely the result of multiple AOL users, usually using the same browser accessing the site via AOL's proxy which cached the sessions ids. Because AOLs IPs are not static and may come through a proxy users may also have the same IP. Thus making it nearly impossible to distinquish between users. I've encountered this problem (particular to users of large IPS like AOL) with other non-php based session mechanisms as well. The solution is to keep the session expiry times shorts and send headers indicating to the proxies/caches that the pages are not to be cached. Previous Comments: ------------------------------------------------------------------------ [2003-07-24 10:15:53] spagmoid at yahoo dot com Note: It also only happens right when sessions are first created, that way the page currently being viewed has no SID, but all the links in it do contain the SID. Tricky and evil. ------------------------------------------------------------------------ [2003-07-24 10:12:22] spagmoid at yahoo dot com Sorry, there's no way I can subject our site to this risk again. I just thought I would notify about this problem. I believe what happened was proxy servers started cacheing pages that has SID's in the links. This caused users to start pouring in with identical SID's (different on each proxy, we surmise). It only happened to AOL users. It took 12 hours of hell just to figure out what was going on. Maybe a note in the session section of the manual that this can happen would help.. ------------------------------------------------------------------------ [2003-07-23 22:13:32] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip ------------------------------------------------------------------------ [2003-07-23 19:20:57] spagmoid at yahoo dot com Description: ------------ Our SID's have been leaking out today and becoming shared between 5+ users at once, causing massive corruption. Our theory is that session.use_only_cookies does not always work. It sometimes allows the SID to propagate in URL when cookies are disabled (noticed in Netscape not IE for some reason). ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=24781&edit=1
