#25934 [Fbk->Opn]: SessionID in URL sometimes ignored

php at webfreezer dot com Mon, 03 Nov 2003 04:44:55 -0800

 ID:               25934
 User updated by:  php at webfreezer dot com
 Reported By:      php at webfreezer dot com
-Status:           Feedback
+Status:           Open
 Bug Type:         Session related
 Operating System: SuSe Linux 8.1
 PHP Version:      4.3.3
 New Comment:


This is an excerpt of ini_get_all vardump�ed:

 [session.auto_start] array(3) => {
    [global_value] string(1) => "0"
    [local_value] string(1) => "0"
    [access] int(7) => 
  }
  [session.bug_compat_42] array(3) => {
    [global_value] string(1) => "1"
    [local_value] string(1) => "1"
    [access] int(7) => 
  }
  [session.bug_compat_warn] array(3) => {
    [global_value] string(1) => "1"
    [local_value] string(1) => "1"
    [access] int(7) => 
  }
  [session.cache_expire] array(3) => {
    [global_value] string(2) => "60"
    [local_value] string(3) => "180"
    [access] int(7) => 
  }
  [session.cache_limiter] array(3) => {
    [global_value] string(7) => "nocache"
    [local_value] string(7) => "nocache"
    [access] int(7) => 
  }
  [session.cookie_domain] array(3) => {
    [global_value] string(0) => ""
    [local_value] string(0) => ""
    [access] int(7) => 
  }
  [session.cookie_lifetime] array(3) => {
    [global_value] string(1) => "0"
    [local_value] string(1) => "0"
    [access] int(7) => 
  }
  [session.cookie_path] array(3) => {
    [global_value] string(1) => "/"
    [local_value] string(1) => "/"
    [access] int(7) => 
  }
  [session.cookie_secure] array(3) => {
    [global_value] string(0) => ""
    [local_value] string(0) => ""
    [access] int(7) => 
  }
  [session.entropy_file] array(3) => {
    [global_value] string(0) => ""
    [local_value] string(0) => ""
    [access] int(7) => 
  }
  [session.entropy_length] array(3) => {
    [global_value] string(1) => "0"
    [local_value] string(1) => "0"
    [access] int(7) => 
  }
  [session.gc_divisor] array(3) => {
    [global_value] string(3) => "100"
    [local_value] string(3) => "100"
    [access] int(7) => 
  }
  [session.gc_maxlifetime] array(3) => {
    [global_value] string(4) => "1440"
    [local_value] string(4) => "1440"
    [access] int(7) => 
  }
  [session.gc_probability] array(3) => {
    [global_value] string(1) => "1"
    [local_value] string(1) => "1"
    [access] int(7) => 
  }
  [session.name] array(3) => {
    [global_value] string(9) => "PHPSESSID"
    [local_value] string(9) => "sessionID"
    [access] int(7) => 
  }
  [session.referer_check] array(3) => {
    [global_value] string(0) => ""
    [local_value] string(1) => "0"
    [access] int(7) => 
  }
  [session.save_handler] array(3) => {
    [global_value] string(5) => "files"
    [local_value] string(5) => "files"
    [access] int(7) => 
  }
  [session.save_path] array(3) => {
    [global_value] string(4) => "/tmp"
    [local_value] string(44) => "/var/www/DOMAINNAME/temp/sessions"
    [access] int(7) => 
  }
  [session.serialize_handler] array(3) => {
    [global_value] string(3) => "php"
    [local_value] string(3) => "php"
    [access] int(7) => 
  }
  [session.use_cookies] array(3) => {
    [global_value] string(1) => "1"
    [local_value] string(1) => "0"
    [access] int(7) => 
  }
  [session.use_only_cookies] array(3) => {
    [global_value] string(1) => "0"
    [local_value] string(1) => "0"
    [access] int(7) => 
  }
  [session.use_trans_sid] array(3) => {
    [global_value] string(1) => "0"
    [local_value] string(1) => "0"
    [access] int(6) => 
  }


Previous Comments:
------------------------------------------------------------------------

[2003-10-29 19:58:00] [EMAIL PROTECTED]

Could you please show all your session related INI values after any
ini_set() or session_set_cookie_params() that your script normally
makes.

------------------------------------------------------------------------

[2003-10-22 06:01:14] php at webfreezer dot com

Sorry, ini_set("session.name", "sessionID") is called before, NOT
ini_set("session-name"...

------------------------------------------------------------------------

[2003-10-22 05:59:38] php at webfreezer dot com

I don�t access the sessionID in the scripts directly via any $_GET or
$_POST. I only use PHP�s session_id() and session_name() functions
throughout the scripts.

After testing the current PHP snap there has been no change in the
behavior so I changed the version back to 4.3.3.

However I tried something different.
I appended &PHPSESSID={SESSIONID} to the URL so that it now looks like
"file.php?sessionID={SESSIONID}&PHPSESSID={SESSIONID}" when such a
session "loss" occured and it works!
As I stated before the session file exists and contains the correct
data so the session is kind of restored that way.

ini_get("session.name") however correctly returns "sessionID" on the
same page and ini_set("session-name", "sessionID") is of course called
prior to session_start().

So it seems as if PHP does not always correctly use the settings and
falls back to standard values.
Might ini_set values also be "remembered" by Apache processes as stated
in bug bug #25753?

I don�t know why it didn�t work some time ago when changing the session
name to PHPSESSID did not work, but since then the code has been
changed since then that might have been another problem.

------------------------------------------------------------------------

[2003-10-22 04:49:53] [EMAIL PROTECTED]

Are you accessing the session ID via globals or do you use $_GET, etc.?
This might be same issue as bug #25753 is about.


------------------------------------------------------------------------

[2003-10-21 08:37:47] php at webfreezer dot com

Description:
------------
PHP sometimes does not want to use the sessionID given via GET! This
happens only on some occasions however it is reproducible on such a
certain page. I regret that I cannot post a short code snippet because
it simply does not happen when testing with a short code snippet.

What happens is the following:
- the SID is used as a GET parameter (this works on every other page!)
- $sidname=session_name(); echo $_GET[$sidname] outputs the correct SID
visible in the URL (e.g.
"/search.php?page=2&qid=1&sessionID=1291bfd78301f151803ca632cd41f626")
- however echo session_id() outputs a totally different SID!
- both (old and new) SID files exist and are readable

session.auto_start=0
session.use_cookies=0
session.use_only_cookies=0
session.referer_check=0

I even implemented my own session handler and it appears that PHP does
not even call the OPEN function for the "old" SID that it no longer
wants to use.

I also tried to use the generic PHPSESSID name instead of the custom
"sessionID" by not setting the custom name, but the problem still
exists.

This is my configure line:

'./configure' '--with-apache=../apache_1.3.28'
'--with-mhash=/usr/local/lib' '--with-zlib-dir=/usr/local/lib'
'--with-zip=/usr/local/lib' '--enable-memory-limit'
'--enable-versioning' '--with-gd' '--enable-exif'
'--with-config-file-path=/etc' '--enable-magic-quotes'
'--enable-thread-safety' '--with-gettext' '--with-xml' '--with-mcrypt'
'--enable-calendar' '--enable-bcmath' '--with-curl'
'--with-curlwrappers' '--enable-ftp' '--enable-wddx'
'--with-jpeg-dir=/usr/lib' 



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=25934&edit=1

#25934 [Fbk->Opn]: SessionID in URL sometimes ignored

Reply via email to