Req #31369 [Asn->Wfx]: session_destroy() and/or session_write_close() should unregister URL handler

Thu, 29 Mar 2012 02:29:15 -0700 

Edit report at https://bugs.php.net/bug.php?id=31369&edit=1

 ID:                 31369
 Updated by:         yohg...@php.net
 Reported by:        baafie at planet dot nl
 Summary:            session_destroy() and/or session_write_close()
                     should unregister URL handler
-Status:             Assigned
+Status:             Wont fix
 Type:               Feature/Change Request
 Package:            Session related
 Operating System:   Linux Red hat 9 -2.4.20
 PHP Version:        4.3.10
 Assigned To:        sas
 Block user comment: N
 Private report:     N

 New Comment:

We are sorry, but we can not support PHP 4 related problems anymore.




Previous Comments:
------------------------------------------------------------------------
[2005-01-17 18:38:51] sni...@php.net

Assigning to the author of ext/session who can explain this / change it if he 
wishes.


------------------------------------------------------------------------
[2005-01-17 02:38:09] destes at ix dot netcom dot com

This is a potential security issue, since I read the manual as describing the 
behavior this bug expects (whereas the experienced behavior is very different). 
 The ability to keep session data private (especially SIDs) is very important 
and I don't think the developers intended trans-sid to extend beyond the use of 
sessions in a script (i.e., beyond where the session has been destroyed).

On a sidenote, you can avoid having trans-sid append your links by using 
absolute (rather than relative) URLs.

I recommend that the original submitter changes this back from Bogus, 
absolutely zero explanation was given as to why this isn't a bug, and I 
(personally) happen to disagree.

-Steve

------------------------------------------------------------------------
[2004-12-31 16:33:49] baafie at planet dot nl

Description:
------------
According to the php manual, session_start() will register internal output 
handler for URL rewriting when trans-sid is enabled. Should session_destroy() 
and/or session_write_close() not unregister this handler?

Reproduce code:
---------------
<?php

ini_set ('session.use_trans_sid','1');
session_start();

echo '<a href="index.php">a page</a>\n';
session_destroy();
echo '<a href="index.php">a page</a>';

?>

Expected result:
----------------
Only the link that was printed before session_destroy() should contain the 
session ID:

<a href="index.php?PHPSESSID=2382309823823...">a page</a>
<a href="index.php">a page</a>

Actual result:
--------------
Both URLs contain the session ID;

<a href="index.php?PHPSESSID=2382309823823...">a page</a>
<a href="index.php?PHPSESSID=2382309823823...">a page</a>


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=31369&edit=1

Reply via email to