ID: 25084 Updated by: [EMAIL PROTECTED] Reported By: mrmax063 at maxempire dot com -Status: Feedback +Status: Closed Bug Type: Session related Operating System: Windows XP PHP Version: 4CVS-2003-08-13 (stable) New Comment:
This bug has been fixed in CVS. In case this was a PHP problem, snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. In case this was a documentation problem, the fix will show up soon at http://www.php.net/manual/. In case this was a PHP.net website problem, the change will show up on the PHP.net site and on the mirror sites in short time. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2003-08-13 20:02:26] [EMAIL PROTECTED] Are you register_globals on or off? ------------------------------------------------------------------------ [2003-08-13 18:47:28] mrmax063 at maxempire dot com I forgot to mention that I'm running PHP as server module under Apache 2.0.47 on Windows XP. ------------------------------------------------------------------------ [2003-08-13 18:42:53] mrmax063 at maxempire dot com Description: ------------ Hi! I've recently discovered that session_start() function ignores session.referer_check settings. And to be sure, I even downloaded the latest release in the 4CVS series, but the problem remains. For example, if domain name where script is located is "example.com", the session.referer_check should be set to "example.com". Now, according to documentation, if someone tries to access the script from another domain with valid session id embedded in the URL (i.e. by following <A> link whose HREF parameter points to http://example.com/session.php?PHPSESSID=sessionid...), PHP should reset session id to another value. But, instead of this, session id that's specified in the URL is accepted (even though HTTP_REFERER field contains address of another domain). Reproduce code: --------------- <?php ini_set('session.referer_check', 'example.com'); session_start(); if (!isset($_SESSION['count'])) { $_SESSION['count'] = 0; } else { $_SESSION['count']++; } print('Counter: ' . $_SESSION['count'] . '<BR>'); print('Add this code to a page on *another* domain: <A HREF="http://example.com/session.php?PHPSESSID=' . session_id() . '">HIJACK!</A><BR>'); print('HTTP_REFERER: ' . getenv('HTTP_REFERER')); ?> Expected result: ---------------- When above script is accessed from another domain via <A> HTML tag and session id is specified in the URL ("session.php?PHPSESSID=sessionid..."), session_start() function should reset session id to another value, since HTTP_REFERER contains address of another domain. Actual result: -------------- session_start() function accepts session id that's specified in the URL, even though HTTP_REFERER contains address of another domain. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=25084&edit=1
