#30026 [Bgs-Opn]: Session variables lost with include through http
ID: 30026 User updated by: p dot kruijsen at mssm dot nl Reported By: p dot kruijsen at mssm dot nl -Status: Bogus +Status: Open Bug Type: Session related Operating System: Windows XP / Redhat Linux PHP Version: Irrelevant New Comment: Please not that I am not trying to send any session or cookie information along with my request. I specifically want to use the session information that is already present at the server to which I make the request. Maybe it's better to assume a 'fopen' rather then an 'include'. If I sign in to server.com and type http://server.com/check by hand in a browser, I might recieve a 'You are signed in' message based on a $_SESSION variable that was set. If I fopen(http://server.com/check) from another server and print the contents I get 'You are not signed in, please sign in'. The $_SESSION variable that is already present and set at server.com (this is the key: I'm not sending anything!) is not used when opening the server.com/check url via fopen() or include(). I cannot understand the difference between opening a URL by hand or by opening it and showing its contents via fopen(). Hope this clarifies. Thanks. Previous Comments: [2004-09-08 17:21:09] [EMAIL PROTECTED] You are assuming a URL include will send cookie information along with the request. That is not the case. You will have to do that yourself if that is what you want. See php.net/curl for everything you need to send a request which includes the session cookie. [2004-09-08 14:58:38] p dot kruijsen at mssm dot nl Description: When include()ing a url through HTTP, $_SESSION variables in the requested page are lost. Opening the same url by hand does preserve the $_SESSION variables. Testcase: Bootstrap a session variable on server1. (OK) Test bootstrap by invoking script on server1. (OK) Invoke script on server2 that includes script on server1. ($_SESSION is lost) This behaviour occurs on various operating systems with various up to date versions of PHP. I suspect this to be some form of security guarantee built into PHP. However, I see no difference in security level between include()ing a file in a script and opening it by hand. Reproduce code: --- ?php // server1.com/bootstrap.php session_start(); $_SESSION['bootstrap'] = 'OK'; echo('OK'); ? ?php // server1.com/test.php session_start(); $_SESSION['server1'] = 'OK'; echo('preserver1: $_SESSION = '); print_r($_SESSION); echo('/pre'); ? ?php // server2.com/test.php session_start(); include('http://server1.com/test.php'); $_SESSION['server2'] = 'OK'; echo('preserver2: $_SESSION = '); print_r($_SESSION); echo('/pre'); ? Expected result: // invoke server1.com/bootstrap.php OK // invoke server1.com/test.php server1: $_SESSION = Array ( [bootstrap] = OK [server1] = OK ) // invoke server2.com/test.php server1: $_SESSION = Array ( [bootstrap] = OK [server1] = OK ) server2: $_SESSION = Array ( [server2] = OK ) Actual result: -- // invoke server2.com/test.php server1: $_SESSION = Array ( [server1] = OK ) server2: $_SESSION = Array ( [server2] = OK ) // Ths initial bootstrap variable is missing from $_SESSION on server1 -- Edit this bug report at http://bugs.php.net/?id=30026edit=1
#30026 [NEW]: Session variables lost with include through http
From: p dot kruijsen at mssm dot nl Operating system: Windows XP / Redhat Linux PHP version: Irrelevant PHP Bug Type: Session related Bug description: Session variables lost with include through http Description: When include()ing a url through HTTP, $_SESSION variables in the requested page are lost. Opening the same url by hand does preserve the $_SESSION variables. Testcase: Bootstrap a session variable on server1. (OK) Test bootstrap by invoking script on server1. (OK) Invoke script on server2 that includes script on server1. ($_SESSION is lost) This behaviour occurs on various operating systems with various up to date versions of PHP. I suspect this to be some form of security guarantee built into PHP. However, I see no difference in security level between include()ing a file in a script and opening it by hand. Reproduce code: --- ?php // server1.com/bootstrap.php session_start(); $_SESSION['bootstrap'] = 'OK'; echo('OK'); ? ?php // server1.com/test.php session_start(); $_SESSION['server1'] = 'OK'; echo('preserver1: $_SESSION = '); print_r($_SESSION); echo('/pre'); ? ?php // server2.com/test.php session_start(); include('http://server1.com/test.php'); $_SESSION['server2'] = 'OK'; echo('preserver2: $_SESSION = '); print_r($_SESSION); echo('/pre'); ? Expected result: // invoke server1.com/bootstrap.php OK // invoke server1.com/test.php server1: $_SESSION = Array ( [bootstrap] = OK [server1] = OK ) // invoke server2.com/test.php server1: $_SESSION = Array ( [bootstrap] = OK [server1] = OK ) server2: $_SESSION = Array ( [server2] = OK ) Actual result: -- // invoke server2.com/test.php server1: $_SESSION = Array ( [server1] = OK ) server2: $_SESSION = Array ( [server2] = OK ) // Ths initial bootstrap variable is missing from $_SESSION on server1 -- Edit bug report at http://bugs.php.net/?id=30026edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=30026r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30026r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30026r=trysnapshot51 Fixed in CVS:http://bugs.php.net/fix.php?id=30026r=fixedcvs Fixed in release:http://bugs.php.net/fix.php?id=30026r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=30026r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=30026r=needscript Try newer version: http://bugs.php.net/fix.php?id=30026r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=30026r=support Expected behavior: http://bugs.php.net/fix.php?id=30026r=notwrong Not enough info: http://bugs.php.net/fix.php?id=30026r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=30026r=submittedtwice register_globals:http://bugs.php.net/fix.php?id=30026r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=30026r=php3 Daylight Savings:http://bugs.php.net/fix.php?id=30026r=dst IIS Stability: http://bugs.php.net/fix.php?id=30026r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=30026r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=30026r=float MySQL Configuration Error: http://bugs.php.net/fix.php?id=30026r=mysqlcfg