ID: 27154
Updated by: [EMAIL PROTECTED]
Reported By: devel at vesaria dot com
-Status: Open
+Status: Bogus
Bug Type: Session related
Operating System: Linux (Red Hat Enterprise Linux)
PHP Version: 4.3.4
New Comment:
Set the session.referer_check to empty string.
(I don't think your urls include 0 in them..)
And where did it say that you should paste all that crap from your
php.ini in this report?!!!
Previous Comments:
------------------------------------------------------------------------
[2004-02-04 23:27:53] devel at vesaria dot com
Here is the relevant info from phpinfo()
Configure Command './configure'
'--sysconfdir=/etc'
'--localstatedir=/var' '--with-apxs=/usr/sbin/apxs'
'--disable-debug'
'--enable-pic' '--disable-cgi'
'--disable-rpath'
'--enable-inline-optimization' '--with-bz2' '--with-db3'
'--with-png'
'--with-gd' '--enable-gd-native-ttf' '--with-ttf'
'--with-gdbm'
'--with-gettext' '--with-ncurses' '--with-gmp'
'--with-iconv'
'--with-jpep' '--with-openssl' '--with-ftp'
'--with-zlib'
'--with-layout=GNU' '--enable-bcmath'
'--enable-magic-quotes'
'--enable-sockets' '--enable-sysvmem'
'--enable-sysvshm'
'--enable-discard-path' '--enable-track-vars'
'--enable-trans-sid'
'--enable-yp' '--enable-wddx' '--without-oci8'
'--with-imap-ssl'
'--with-mysql' '--with-xml' '--enable-bcmath'
'--enable-shmop'
'--enable-versioning' '--enable-calendar'
'--enable-dbx'
'--enable-mbstring'
'--enable-mbstr-enc-trans'
'--with-curl=/opt/jail/usr' '--with-gd' '--with-mcrypt'
'--with-mhash'
Server API Apache
Virtual Directory Support disabled
Configuration File (php.ini) Path /etc/php.ini
PHP API 20020918
PHP Extension 20020429
Zend Extension 20021010
Debug Build no
Thread Safety disabled
apache
APACHE_INCLUDE no value
APACHE_TARGET no value
Apache Version Apache/1.3.27 (Unix) (Red-Hat/Linux)
mod_gzip/1.3.26.1a
mod_ssl/2.8.12 OpenSSL/0.9.6b
Apache Release 10327100
Apache API Version 19990320
Hostname:Port www.pricequotes.com:80
User/Group apache(48)/48
Max Requests Per Child: 10000 - Keep Alive: on - Max Per
Connection:
200
Timeouts Connection: 300 - Keep-Alive: 60
Server Root /etc/httpd
Loaded Modules mod_gzip, mod_ssl, mod_php4, mod_setenvif,
mod_so,
mod_headers, mod_expires, mod_auth_anon, mod_auth,
mod_access,
mod_rewrite, mod_alias, mod_actions, mod_asis, mod_cgi,
mod_dir,
mod_include, mod_info, mod_negotiation, mod_mime,
mod_log_referer,
mod_log_agent, mod_log_config, mod_env, mod_vhost_alias, http_core
Directive Local Value Master Value
child_terminate 0 0
engine 1 1
last_modified 0 0
xbithack 0 0
session
Session Support enabled
Registered save handlers files user
Directive Local Value Master Value
session.auto_start On On
session.bug_compat_42 Off Off
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file /dev/urandom /dev/urandom
session.entropy_length 16 16
session.gc_divisor 1000 1000
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.name PHPSESSID PHPSESSID
session.referer_check 0 0
session.save_handler files files
session.save_path /tmp /tmp
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid Off Off
------------------------------------------------------------------------
[2004-02-04 23:21:08] devel at vesaria dot com
Description:
------------
When a client makes a regular request, PHP handles the session fine.
However, when the client sends a Referer header as well, PHP and sends
a new session cookie, and doesn't carry over the session data.
Note that this only happens if the Referer header is sent, not if other
headers are sent.
This has been confirmed by direct netcat connections, as well as
several browsers.
$ nc localhost 80 -v
localhost [127.0.0.1] 80 (http) open
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2004 03:57:00 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_gzip/1.3.26.1a
mod_ssl/2.8.12 OpenSSL/0.9.6b
Vary: *
Set-Cookie: PHPSESSID=5d0966fbcc5296708b88917b5a2fbf1f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
<html><head><title>
$ nc localhost 80 -v
localhost [127.0.0.1] 80 (http) open
GET / HTTP/1.0
Cookie: PHPSESSID=5d0966fbcc5296708b88917b5a2fbf1f
Referer: http://some.other.site/
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2004 03:57:47 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_gzip/1.3.26.1a
mod_ssl/2.8.12 OpenSSL/0.9.6b
Vary: *
Set-Cookie: PHPSESSID=13dcdd68d0b27bbe04bb4f17a8407d23; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
<html><head><title>
$ nc localhost 80 -v
localhost [127.0.0.1] 80 (http) open
GET / HTTP/1.0
Cookie: PHPSESSID=5d0966fbcc5296708b88917b5a2fbf1f
X-Header: just another http header
HTTP/1.1 200 OK
Date: Thu, 05 Feb 2004 03:58:25 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_gzip/1.3.26.1a
mod_ssl/2.8.12 OpenSSL/0.9.6b
Vary: *
Set-Cookie: PHPSESSID=5d0966fbcc5296708b88917b5a2fbf1f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
<html><head><title>
[Session]
; Handler used to store/retrieve data.
session.save_handler = files ; Argument
passed to save_handler. In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
;
; As of PHP 4.0.1, you can define the path as:
;
; session.save_path = "N;/path"
;
; where N is an integer. Instead of storing all the session files in
; /path, what this will do is use subdirectories N-levels deep, and
; store the session data in those directories. This is useful if you
; or your OS have problems with lots of files in one directory, and is
; a more efficient layout for servers that handle lots of sessions.
;
; NOTE 1: PHP will not create this directory structure automatically.
; You can use the script in the ext/session dir for that
purpose.
; NOTE 2: See the section on garbage collection below if you choose to
; use subdirectories for session storage
;
; The file storage module creates files using mode 600 by default.
; You can change that by using
;
; session.save_path = "N;MODE;/path"
; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
session.save_path = "/tmp"
; Whether to use cookies.
session.use_cookies = 1
; This option enables administrators to make their users invulnerable
to
; attacks which involve passing session ids in URLs;defaults to 0.
; session.use_only_cookies = 1
; Name of the session (used as cookie name).
session.name = PHPSESSID
; Initialize session on request startup.
session.auto_start = 1
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0
; The path for which the cookie is valid.
session.cookie_path = /
; The domain for which the cookie is valid.
session.cookie_domain =
; Handler used to serialize data. php is the standard serializer of
PHP
session.serialize_handler = php
; Define the probability that the 'garbage collection' process is
started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.
session.gc_probability = 1
session.gc_divisor = 1000
; After this number of seconds, stored data will be seen as 'garbage'
and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440
; PHP 4.2 and less have an undocumented feature/bug that allows you to
; to initialize a session variable in the global scope, albeit
register_globals
; is disabled. PHP 4.3 and later will warn you, if this feature is
used.
; You can disable the feature and the warning seperately. At this
time,
; the warning is only displayed, if bug_compat_42 is enabled.
session.bug_compat_42 = 0
session.bug_compat_warn = 1
; Check HTTP Referer to invalidate externally stored URLs containing
ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check = 0
; How many bytes to read from the file.
;session.entropy_length = 0
; Specified here to create the session id.
;session.entropy_file =
session.entropy_length = 16
session.entropy_file = /dev/urandom
; Set to {nocache,private,public,} to determine HTTP caching aspects.
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache
; Document expires after n minutes.
session.cache_expire = 180
; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0
; Select a hash function
; 0: MD5 (128 bits)
; 1: SHA-1 (160 bits)
session.hash_function = 0
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
;
; 4 bits: 0-9, a-f
; 5 bits: 0-9, a-v
; 6 bits: 0-9, a-z, A-Z, "-", ","
session.hash_bits_per_character = 5
; The URL rewriter will look for URLs in a defined set of HTML tags.
; form/fieldset are special; if you include them here, the rewriter
will
; add a hidden <input> field with the info which is otherwise appended
; to URLs. If you want XHTML conformity, remove the form entry.
; Note that all valid entries require a "=", even if no value follows.
url_rewriter.tags =
"a=href,area=href,frame=src,input=src,form=fakeentry"
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=27154&edit=1
