ID: 35479
User updated by: kenashkov at gmail dot com
Reported By: kenashkov at gmail dot com
Status: Wont fix
Bug Type: Session related
Operating System: Fedora Core 4
PHP Version: 4.4.1
New Comment:
I think this can be a major security risk if the garbage collection
rule is based not on the session begin time, but on a inactivity time
(i.e. 1 hour since last read). Thus when long time there is no any
execution of the code (from other users/sessions) is possible a visitor
to use an abandoned session (i.e. not closed window on some computer)
and execute the page. Then the read function is called, it updates the
last activity time, and the gc will not delete the session, because it
is already updated. A work around is to update the last activity time
in the write function (which is AFTER the gc) but this way remains the
possibility to execute at least once an abandoned session.
And is that the order of calling of the internal functions when is used
the default handler? If it is I think it is important not to leave this
as is.
Maybe is possible to add php.ini directive that allows switching the
calling order. Something like "change_session_call_order" On/Off
PHP_INI_ALL. This way if there is no compatibility issues, one can turn
it On to get the proposed calling order. I know that there is already a
lot of session directives, but this is better than nothing.
Previous Comments:
------------------------------------------------------------------------
[2005-11-29 22:55:29] [EMAIL PROTECTED]
It's fine as it is. Changing this now would break backwards
compatibility.
------------------------------------------------------------------------
[2005-11-29 18:15:55] kenashkov at gmail dot com
Description:
------------
Let suppose that we use the session_set_save_handler to register own
session handling functions and we have an expired session (but not
cleaned by the garbage collector yet). When we start the session with
session_start() we get the following sequence of calling the registered
functions:
open
read
gc
write
close
I think the garbage collector (gc) should be called BEFORE the read
function (in order to clean that expired session beofre it is read). In
the way it is, is possible for the web site visitor to use an old
session (only once of course, because immediately after read is called
gc and for the second visit the session will be already deleted).
Maybe the same problem exists when is not used the
session_set_save_handler, but with it the sequence can be seen.
Reproduce code:
---------------
<?
function open() { print 'open<br>'.PHP_EOL; return true; }
function close() { print 'close<br>'.PHP_EOL; return true; }
function read() { print 'read<br>'.PHP_EOL; return ''; }
function write() { print 'write<br>'.PHP_EOL; return true; }
function destroy() { print 'destroy<br>'.PHP_EOL; return true; }
function gc() { print 'gc<br>'.PHP_EOL; return true; }
ini_set('session.gc_probability',1);
ini_set('session.gc_divisor',1);
session_set_save_handler('open','close','read','write','destroy','gc');
session_start();
session_write_close();
?>
Expected result:
----------------
open
gc
read
write
close
Actual result:
--------------
open
read
gc
write
close
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=35479&edit=1
