ID: 25934
Updated by: [EMAIL PROTECTED]
Reported By: php at webfreezer dot com
-Status: Open
+Status: Feedback
Bug Type: Session related
Operating System: SuSe Linux 8.1
PHP Version: 4.3.4
New Comment:
Provide a complete example script. And FYI: for security reasons you
really should use only cookies for passing the session ID around..
Previous Comments:
------------------------------------------------------------------------
[2003-11-05 03:00:31] php at webfreezer dot com
This still happens in Version 4.3.4 which is now installed on the live
system.
What I do:
- ini_set(session settings...)
- session_start()
- accessing the session values via $_SESSION
- I donīt use sesson_register() and session_unregister()
- Post a form via GET -> error occurs? -> redirect via header() with
attached SID -> display page -> PHP ignores given sessionID
- URL e.g.
error.php?e=noresults_city&qid=1&sessionID=92f9dcf7a0d89eaa2b0bc8f2e4dfd460&token=d03d28781b196bd362b9aeb7844e8e85
- session_id() however is different from "$_GET[session_name()]" then
- The error occurs everytime a new session is used (e.g. accessing the
website and submitting the form for the first time int the session)
I found at least a workaround for that:
// Auto-Reset to correct session data
$sn=session_name();
if($_GET[$sn] != session_id())
{
$sessionSavePath=ini_get("session.save_path");
$oldSessionContent=file_get_contents($sessionSavePath."/sess_".$_GET[$sn]);
session_decode($oldSessionContent);
}
If the error occurs it is now fixed on-the-fly.
This works _everytime_ when the error occurs.
As I said before the session file exists, it is readable and can be
accessed without any problems, so itīs no wonder this workaround works.
------------------------------------------------------------------------
[2003-10-21 08:37:47] php at webfreezer dot com
Description:
------------
PHP sometimes does not want to use the sessionID given via GET! This
happens only on some occasions however it is reproducible on such a
certain page. I regret that I cannot post a short code snippet because
it simply does not happen when testing with a short code snippet.
What happens is the following:
- the SID is used as a GET parameter (this works on every other page!)
- $sidname=session_name(); echo $_GET[$sidname] outputs the correct SID
visible in the URL (e.g.
"/search.php?page=2&qid=1&sessionID=1291bfd78301f151803ca632cd41f626")
- however echo session_id() outputs a totally different SID!
- both (old and new) SID files exist and are readable
session.auto_start=0
session.use_cookies=0
session.use_only_cookies=0
session.referer_check=0
I even implemented my own session handler and it appears that PHP does
not even call the OPEN function for the "old" SID that it no longer
wants to use.
I also tried to use the generic PHPSESSID name instead of the custom
"sessionID" by not setting the custom name, but the problem still
exists.
This is my configure line:
'./configure' '--with-apache=../apache_1.3.28'
'--with-mhash=/usr/local/lib' '--with-zlib-dir=/usr/local/lib'
'--with-zip=/usr/local/lib' '--enable-memory-limit'
'--enable-versioning' '--with-gd' '--enable-exif'
'--with-config-file-path=/etc' '--enable-magic-quotes'
'--enable-thread-safety' '--with-gettext' '--with-xml' '--with-mcrypt'
'--enable-calendar' '--enable-bcmath' '--with-curl'
'--with-curlwrappers' '--enable-ftp' '--enable-wddx'
'--with-jpeg-dir=/usr/lib'
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=25934&edit=1
