#25934 [Fbk-Opn]: SessionID in URL sometimes ignored
ID: 25934 User updated by: php at webfreezer dot com Reported By: php at webfreezer dot com -Status: Feedback +Status: Open Bug Type: Session related Operating System: SuSe Linux 8.1 PHP Version: 4.3.3 New Comment: This is an excerpt of ini_get_all vardump´ed: [session.auto_start] array(3) = { [global_value] string(1) = 0 [local_value] string(1) = 0 [access] int(7) = } [session.bug_compat_42] array(3) = { [global_value] string(1) = 1 [local_value] string(1) = 1 [access] int(7) = } [session.bug_compat_warn] array(3) = { [global_value] string(1) = 1 [local_value] string(1) = 1 [access] int(7) = } [session.cache_expire] array(3) = { [global_value] string(2) = 60 [local_value] string(3) = 180 [access] int(7) = } [session.cache_limiter] array(3) = { [global_value] string(7) = nocache [local_value] string(7) = nocache [access] int(7) = } [session.cookie_domain] array(3) = { [global_value] string(0) = [local_value] string(0) = [access] int(7) = } [session.cookie_lifetime] array(3) = { [global_value] string(1) = 0 [local_value] string(1) = 0 [access] int(7) = } [session.cookie_path] array(3) = { [global_value] string(1) = / [local_value] string(1) = / [access] int(7) = } [session.cookie_secure] array(3) = { [global_value] string(0) = [local_value] string(0) = [access] int(7) = } [session.entropy_file] array(3) = { [global_value] string(0) = [local_value] string(0) = [access] int(7) = } [session.entropy_length] array(3) = { [global_value] string(1) = 0 [local_value] string(1) = 0 [access] int(7) = } [session.gc_divisor] array(3) = { [global_value] string(3) = 100 [local_value] string(3) = 100 [access] int(7) = } [session.gc_maxlifetime] array(3) = { [global_value] string(4) = 1440 [local_value] string(4) = 1440 [access] int(7) = } [session.gc_probability] array(3) = { [global_value] string(1) = 1 [local_value] string(1) = 1 [access] int(7) = } [session.name] array(3) = { [global_value] string(9) = PHPSESSID [local_value] string(9) = sessionID [access] int(7) = } [session.referer_check] array(3) = { [global_value] string(0) = [local_value] string(1) = 0 [access] int(7) = } [session.save_handler] array(3) = { [global_value] string(5) = files [local_value] string(5) = files [access] int(7) = } [session.save_path] array(3) = { [global_value] string(4) = /tmp [local_value] string(44) = /var/www/DOMAINNAME/temp/sessions [access] int(7) = } [session.serialize_handler] array(3) = { [global_value] string(3) = php [local_value] string(3) = php [access] int(7) = } [session.use_cookies] array(3) = { [global_value] string(1) = 1 [local_value] string(1) = 0 [access] int(7) = } [session.use_only_cookies] array(3) = { [global_value] string(1) = 0 [local_value] string(1) = 0 [access] int(7) = } [session.use_trans_sid] array(3) = { [global_value] string(1) = 0 [local_value] string(1) = 0 [access] int(6) = } Previous Comments: [2003-10-29 19:58:00] [EMAIL PROTECTED] Could you please show all your session related INI values after any ini_set() or session_set_cookie_params() that your script normally makes. [2003-10-22 06:01:14] php at webfreezer dot com Sorry, ini_set(session.name, sessionID) is called before, NOT ini_set(session-name... [2003-10-22 05:59:38] php at webfreezer dot com I don´t access the sessionID in the scripts directly via any $_GET or $_POST. I only use PHP´s session_id() and session_name() functions throughout the scripts. After testing the current PHP snap there has been no change in the behavior so I changed the version back to 4.3.3. However I tried something different. I appended PHPSESSID={SESSIONID} to the URL so that it now looks like file.php?sessionID={SESSIONID}PHPSESSID={SESSIONID} when such a session loss occured and it works! As I stated before the session file exists and contains the correct data so the session is kind of restored that way. ini_get(session.name) however correctly returns sessionID on the same page and ini_set(session-name, sessionID) is of course called prior to session_start(). So it seems as if PHP does not always correctly use the settings and falls back to standard values. Might ini_set values also be remembered by Apache processes as stated in bug bug #25753? I don´t know why it didn´t work some time ago when changing the session name to PHPSESSID did not work, but since then the code has been changed since then
#25934 [Fbk-Opn]: SessionID in URL sometimes ignored
ID: 25934 User updated by: php at webfreezer dot com Reported By: php at webfreezer dot com -Status: Feedback +Status: Open Bug Type: Session related Operating System: SuSe Linux 8.1 PHP Version: 4.3.3 New Comment: I`ll test the snapshot soon. The following is the content of the .htaccess in the DocumentRoot: php_value register_globals 0 Options -Indexes register_globals must be set to on for the whole server because there are other older websites that require this option so I explicitly have to disable it for the affected website. Previous Comments: [2003-10-22 02:01:38] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip And do you set any PHP ini options in your httpd.conf / .htaccess file? (for any vhost) [2003-10-21 16:11:03] php at webfreezer dot com No, it is off: session.use_trans_sid = 0 [2003-10-21 15:14:18] [EMAIL PROTECTED] You do have session.use_trans_sid = 1 in your php.ini? [2003-10-21 08:37:47] php at webfreezer dot com Description: PHP sometimes does not want to use the sessionID given via GET! This happens only on some occasions however it is reproducible on such a certain page. I regret that I cannot post a short code snippet because it simply does not happen when testing with a short code snippet. What happens is the following: - the SID is used as a GET parameter (this works on every other page!) - $sidname=session_name(); echo $_GET[$sidname] outputs the correct SID visible in the URL (e.g. /search.php?page=2qid=1sessionID=1291bfd78301f151803ca632cd41f626) - however echo session_id() outputs a totally different SID! - both (old and new) SID files exist and are readable session.auto_start=0 session.use_cookies=0 session.use_only_cookies=0 session.referer_check=0 I even implemented my own session handler and it appears that PHP does not even call the OPEN function for the old SID that it no longer wants to use. I also tried to use the generic PHPSESSID name instead of the custom sessionID by not setting the custom name, but the problem still exists. This is my configure line: './configure' '--with-apache=../apache_1.3.28' '--with-mhash=/usr/local/lib' '--with-zlib-dir=/usr/local/lib' '--with-zip=/usr/local/lib' '--enable-memory-limit' '--enable-versioning' '--with-gd' '--enable-exif' '--with-config-file-path=/etc' '--enable-magic-quotes' '--enable-thread-safety' '--with-gettext' '--with-xml' '--with-mcrypt' '--enable-calendar' '--enable-bcmath' '--with-curl' '--with-curlwrappers' '--enable-ftp' '--enable-wddx' '--with-jpeg-dir=/usr/lib' -- Edit this bug report at http://bugs.php.net/?id=25934edit=1
#25934 [Fbk-Opn]: SessionID in URL sometimes ignored
ID: 25934 User updated by: php at webfreezer dot com Reported By: php at webfreezer dot com -Status: Feedback +Status: Open Bug Type: Session related Operating System: SuSe Linux 8.1 PHP Version: 4.3.3 New Comment: I don´t access the sessionID in the scripts directly via any $_GET or $_POST. I only use PHP´s session_id() and session_name() functions throughout the scripts. After testing the current PHP snap there has been no change in the behavior so I changed the version back to 4.3.3. However I tried something different. I appended PHPSESSID={SESSIONID} to the URL so that it now looks like file.php?sessionID={SESSIONID}PHPSESSID={SESSIONID} when such a session loss occured and it works! As I stated before the session file exists and contains the correct data so the session is kind of restored that way. ini_get(session.name) however correctly returns sessionID on the same page and ini_set(session-name, sessionID) is of course called prior to session_start(). So it seems as if PHP does not always correctly use the settings and falls back to standard values. Might ini_set values also be remembered by Apache processes as stated in bug bug #25753? I don´t know why it didn´t work some time ago when changing the session name to PHPSESSID did not work, but since then the code has been changed since then that might have been another problem. Previous Comments: [2003-10-22 04:49:53] [EMAIL PROTECTED] Are you accessing the session ID via globals or do you use $_GET, etc.? This might be same issue as bug #25753 is about. [2003-10-22 03:03:04] php at webfreezer dot com I`ll test the snapshot soon. The following is the content of the .htaccess in the DocumentRoot: php_value register_globals 0 Options -Indexes register_globals must be set to on for the whole server because there are other older websites that require this option so I explicitly have to disable it for the affected website. [2003-10-22 02:01:38] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip And do you set any PHP ini options in your httpd.conf / .htaccess file? (for any vhost) [2003-10-21 16:11:03] php at webfreezer dot com No, it is off: session.use_trans_sid = 0 [2003-10-21 15:14:18] [EMAIL PROTECTED] You do have session.use_trans_sid = 1 in your php.ini? The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/25934 -- Edit this bug report at http://bugs.php.net/?id=25934edit=1
#25934 [Fbk-Opn]: SessionID in URL sometimes ignored
ID: 25934 User updated by: php at webfreezer dot com Reported By: php at webfreezer dot com -Status: Feedback +Status: Open Bug Type: Session related Operating System: SuSe Linux 8.1 PHP Version: 4.3.3 New Comment: No, it is off: session.use_trans_sid = 0 Previous Comments: [2003-10-21 15:14:18] [EMAIL PROTECTED] You do have session.use_trans_sid = 1 in your php.ini? [2003-10-21 08:37:47] php at webfreezer dot com Description: PHP sometimes does not want to use the sessionID given via GET! This happens only on some occasions however it is reproducible on such a certain page. I regret that I cannot post a short code snippet because it simply does not happen when testing with a short code snippet. What happens is the following: - the SID is used as a GET parameter (this works on every other page!) - $sidname=session_name(); echo $_GET[$sidname] outputs the correct SID visible in the URL (e.g. /search.php?page=2qid=1sessionID=1291bfd78301f151803ca632cd41f626) - however echo session_id() outputs a totally different SID! - both (old and new) SID files exist and are readable session.auto_start=0 session.use_cookies=0 session.use_only_cookies=0 session.referer_check=0 I even implemented my own session handler and it appears that PHP does not even call the OPEN function for the old SID that it no longer wants to use. I also tried to use the generic PHPSESSID name instead of the custom sessionID by not setting the custom name, but the problem still exists. This is my configure line: './configure' '--with-apache=../apache_1.3.28' '--with-mhash=/usr/local/lib' '--with-zlib-dir=/usr/local/lib' '--with-zip=/usr/local/lib' '--enable-memory-limit' '--enable-versioning' '--with-gd' '--enable-exif' '--with-config-file-path=/etc' '--enable-magic-quotes' '--enable-thread-safety' '--with-gettext' '--with-xml' '--with-mcrypt' '--enable-calendar' '--enable-bcmath' '--with-curl' '--with-curlwrappers' '--enable-ftp' '--enable-wddx' '--with-jpeg-dir=/usr/lib' -- Edit this bug report at http://bugs.php.net/?id=25934edit=1