ID: 25934 Updated by: [EMAIL PROTECTED] Reported By: php at webfreezer dot com -Status: Open +Status: Feedback Bug Type: Session related Operating System: SuSe Linux 8.1 PHP Version: 4.3.4 New Comment:
Provide a complete example script. And FYI: for security reasons you really should use only cookies for passing the session ID around.. Previous Comments: ------------------------------------------------------------------------ [2003-11-05 03:00:31] php at webfreezer dot com This still happens in Version 4.3.4 which is now installed on the live system. What I do: - ini_set(session settings...) - session_start() - accessing the session values via $_SESSION - I donīt use sesson_register() and session_unregister() - Post a form via GET -> error occurs? -> redirect via header() with attached SID -> display page -> PHP ignores given sessionID - URL e.g. error.php?e=noresults_city&qid=1&sessionID=92f9dcf7a0d89eaa2b0bc8f2e4dfd460&token=d03d28781b196bd362b9aeb7844e8e85 - session_id() however is different from "$_GET[session_name()]" then - The error occurs everytime a new session is used (e.g. accessing the website and submitting the form for the first time int the session) I found at least a workaround for that: // Auto-Reset to correct session data $sn=session_name(); if($_GET[$sn] != session_id()) { $sessionSavePath=ini_get("session.save_path"); $oldSessionContent=file_get_contents($sessionSavePath."/sess_".$_GET[$sn]); session_decode($oldSessionContent); } If the error occurs it is now fixed on-the-fly. This works _everytime_ when the error occurs. As I said before the session file exists, it is readable and can be accessed without any problems, so itīs no wonder this workaround works. ------------------------------------------------------------------------ [2003-10-21 08:37:47] php at webfreezer dot com Description: ------------ PHP sometimes does not want to use the sessionID given via GET! This happens only on some occasions however it is reproducible on such a certain page. I regret that I cannot post a short code snippet because it simply does not happen when testing with a short code snippet. What happens is the following: - the SID is used as a GET parameter (this works on every other page!) - $sidname=session_name(); echo $_GET[$sidname] outputs the correct SID visible in the URL (e.g. "/search.php?page=2&qid=1&sessionID=1291bfd78301f151803ca632cd41f626") - however echo session_id() outputs a totally different SID! - both (old and new) SID files exist and are readable session.auto_start=0 session.use_cookies=0 session.use_only_cookies=0 session.referer_check=0 I even implemented my own session handler and it appears that PHP does not even call the OPEN function for the "old" SID that it no longer wants to use. I also tried to use the generic PHPSESSID name instead of the custom "sessionID" by not setting the custom name, but the problem still exists. This is my configure line: './configure' '--with-apache=../apache_1.3.28' '--with-mhash=/usr/local/lib' '--with-zlib-dir=/usr/local/lib' '--with-zip=/usr/local/lib' '--enable-memory-limit' '--enable-versioning' '--with-gd' '--enable-exif' '--with-config-file-path=/etc' '--enable-magic-quotes' '--enable-thread-safety' '--with-gettext' '--with-xml' '--with-mcrypt' '--enable-calendar' '--enable-bcmath' '--with-curl' '--with-curlwrappers' '--enable-ftp' '--enable-wddx' '--with-jpeg-dir=/usr/lib' ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=25934&edit=1