from:"p dot kruijsen at mssm dot nl"

#30026 [Bgs-Opn]: Session variables lost with include through http

2004-09-15 Thread p dot kruijsen at mssm dot nl

 ID:   30026
 User updated by:  p dot kruijsen at mssm dot nl
 Reported By:  p dot kruijsen at mssm dot nl
-Status:   Bogus
+Status:   Open
 Bug Type: Session related
 Operating System: Windows XP / Redhat Linux
 PHP Version:  Irrelevant
 New Comment:

Please not that I am not trying to send any session or cookie
information along with my request. I specifically want to use the
session information that is already present at the server to which I
make the request.
Maybe it's better to assume a 'fopen' rather then an 'include'. If I
sign in to server.com and type http://server.com/check by hand in a
browser, I might recieve a 'You are signed in' message based on a
$_SESSION variable that was set. If I fopen(http://server.com/check)
from another server and print the contents I get 'You are not signed
in, please sign in'. The $_SESSION variable that is already present and
set at server.com (this is the key: I'm not sending anything!) is not
used when opening the server.com/check url via fopen() or include(). I
cannot understand the difference between opening a URL by hand or by
opening it and showing its contents via fopen().
Hope this clarifies. Thanks.


Previous Comments:


[2004-09-08 17:21:09] [EMAIL PROTECTED]

You are assuming a URL include will send cookie information along with
the request.  That is not the case.  You will have to do that yourself
if that is what you want.  See php.net/curl for everything you need to
send a request which includes the session cookie.



[2004-09-08 14:58:38] p dot kruijsen at mssm dot nl

Description:

When include()ing a url through HTTP, $_SESSION variables in the
requested page are lost. Opening the same url by hand does preserve the
$_SESSION variables.

Testcase:
Bootstrap a session variable on server1. (OK)
Test bootstrap by invoking script on server1. (OK)
Invoke script on server2 that includes script on server1. ($_SESSION is
lost)

This behaviour occurs on various operating systems with various up to
date versions of PHP. I suspect this to be some form of security
guarantee built into PHP. However, I see no difference in security
level between include()ing a file in a script and opening it by hand.

Reproduce code:
---
?php
// server1.com/bootstrap.php
session_start();
$_SESSION['bootstrap'] = 'OK';
echo('OK');
?

?php
// server1.com/test.php
session_start();
$_SESSION['server1'] = 'OK';
echo('preserver1: $_SESSION = ');
print_r($_SESSION);
echo('/pre');
?

?php
// server2.com/test.php
session_start();
include('http://server1.com/test.php');
$_SESSION['server2'] = 'OK';
echo('preserver2: $_SESSION = ');
print_r($_SESSION);
echo('/pre');
?

Expected result:

// invoke server1.com/bootstrap.php
OK

// invoke server1.com/test.php
server1: $_SESSION = Array
(
[bootstrap] = OK
[server1] = OK
)

// invoke server2.com/test.php
server1: $_SESSION = Array
(
[bootstrap] = OK
[server1] = OK
)
server2: $_SESSION = Array
(
[server2] = OK
)


Actual result:
--
// invoke server2.com/test.php
server1: $_SESSION = Array
(
[server1] = OK
)
server2: $_SESSION = Array
(
[server2] = OK
)

// Ths initial bootstrap variable is missing from $_SESSION on server1





-- 
Edit this bug report at http://bugs.php.net/?id=30026edit=1

#30026 [NEW]: Session variables lost with include through http

2004-09-08 Thread p dot kruijsen at mssm dot nl

From: p dot kruijsen at mssm dot nl
Operating system: Windows XP / Redhat Linux
PHP version:  Irrelevant
PHP Bug Type: Session related
Bug description:  Session variables lost with include through http

Description:

When include()ing a url through HTTP, $_SESSION variables in the requested
page are lost. Opening the same url by hand does preserve the $_SESSION
variables.

Testcase:
Bootstrap a session variable on server1. (OK)
Test bootstrap by invoking script on server1. (OK)
Invoke script on server2 that includes script on server1. ($_SESSION is
lost)

This behaviour occurs on various operating systems with various up to date
versions of PHP. I suspect this to be some form of security guarantee built
into PHP. However, I see no difference in security level between
include()ing a file in a script and opening it by hand.

Reproduce code:
---
?php
// server1.com/bootstrap.php
session_start();
$_SESSION['bootstrap'] = 'OK';
echo('OK');
?

?php
// server1.com/test.php
session_start();
$_SESSION['server1'] = 'OK';
echo('preserver1: $_SESSION = ');
print_r($_SESSION);
echo('/pre');
?

?php
// server2.com/test.php
session_start();
include('http://server1.com/test.php');
$_SESSION['server2'] = 'OK';
echo('preserver2: $_SESSION = ');
print_r($_SESSION);
echo('/pre');
?

Expected result:

// invoke server1.com/bootstrap.php
OK

// invoke server1.com/test.php
server1: $_SESSION = Array
(
[bootstrap] = OK
[server1] = OK
)

// invoke server2.com/test.php
server1: $_SESSION = Array
(
[bootstrap] = OK
[server1] = OK
)
server2: $_SESSION = Array
(
[server2] = OK
)


Actual result:
--
// invoke server2.com/test.php
server1: $_SESSION = Array
(
[server1] = OK
)
server2: $_SESSION = Array
(
[server2] = OK
)

// Ths initial bootstrap variable is missing from $_SESSION on server1

-- 
Edit bug report at http://bugs.php.net/?id=30026edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=30026r=trysnapshot4
Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30026r=trysnapshot50
Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30026r=trysnapshot51
Fixed in CVS:http://bugs.php.net/fix.php?id=30026r=fixedcvs
Fixed in release:http://bugs.php.net/fix.php?id=30026r=alreadyfixed
Need backtrace:  http://bugs.php.net/fix.php?id=30026r=needtrace
Need Reproduce Script:   http://bugs.php.net/fix.php?id=30026r=needscript
Try newer version:   http://bugs.php.net/fix.php?id=30026r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=30026r=support
Expected behavior:   http://bugs.php.net/fix.php?id=30026r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=30026r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=30026r=submittedtwice
register_globals:http://bugs.php.net/fix.php?id=30026r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=30026r=php3
Daylight Savings:http://bugs.php.net/fix.php?id=30026r=dst
IIS Stability:   http://bugs.php.net/fix.php?id=30026r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=30026r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=30026r=float
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=30026r=mysqlcfg

#30026 [Bgs-Opn]: Session variables lost with include through http

#30026 [NEW]: Session variables lost with include through http

2 matches

Site Navigation

Mail list logo

Footer information