#26583 [NEW]: PHP in combination with IE6 unable to create valid session-id

Wed, 10 Dec 2003 07:32:11 -0800 

From:             peter dot lerner at commerzbank dot com
Operating system: Sol8 (Apache+PHP) & WinNT (IE6)
PHP version:      4.3.4
PHP Bug Type:     Session related
Bug description:  PHP in combination with IE6 unable to create valid session-id

Description:
------------
(see also bug #16408, i didn't know how to reopen it!)

I'm running php4.3.4 on apache2 on a solaris8 box.
Browser is Internet Explorer 6.0.2800.1106CO.

When using IE6 as a browser the session info saved as a file in /tmp, uses
a file named 'sess_null'.

-rw-------   1 myuid mygid 1535549 Dec 10 12:57 sess_null

When using e.g. Mozilla 1.5 everything is fine, and you find the normal
file 'sess_<cryptic sessionid>.

What does the sess_null file mean? IE6 in combination with PHP
(sometimes?) is not able to generate a valid session-id.
It means that *everybody* with an IE6 will *share* this session info from
session "null".


The problem is *very*critical* for us, because _every_ user who logs on
with an IE6 gets user permissions from the sess_null. sess_null could be
the admin's session.

Vice versa it's also a problem if the first user to create a sess_null was
not-privileged, and the subsequent admin logon is "castrated" to the
non-privileged level.




-- 
Edit bug report at http://bugs.php.net/?id=26583&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=26583&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=26583&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=26583&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=26583&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=26583&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=26583&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=26583&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=26583&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=26583&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=26583&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=26583&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=26583&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26583&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=26583&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=26583&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=26583&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26583&r=float

Reply via email to