ID: 25934
User updated by: php at webfreezer dot com
Reported By: php at webfreezer dot com
-Status: No Feedback
+Status: Closed
Bug Type: Session related
Operating System: SuSe Linux 8.1
PHP Version: 4.3.4
New Comment:
Never thought that I`d set one of my own bug reports to "Bogus" ;-)
The problem was that I set "session.referer_check" to "0" via ini_set
(to override any possible change in php.ini), because somehow I thought
that this would deactivate the referer check and not knowing that this
would mark the given sessionID as invalid if the string "0" is not
contained in the referring URL.
Sorry! :-)
Previous Comments:
------------------------------------------------------------------------
[2003-11-17 18:15:42] [EMAIL PROTECTED]
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
------------------------------------------------------------------------
[2003-11-05 11:32:59] [EMAIL PROTECTED]
Provide a complete example script. And FYI: for security reasons you
really should use only cookies for passing the session ID around..
------------------------------------------------------------------------
[2003-11-05 03:00:31] php at webfreezer dot com
This still happens in Version 4.3.4 which is now installed on the live
system.
What I do:
- ini_set(session settings...)
- session_start()
- accessing the session values via $_SESSION
- I donīt use sesson_register() and session_unregister()
- Post a form via GET -> error occurs? -> redirect via header() with
attached SID -> display page -> PHP ignores given sessionID
- URL e.g.
error.php?e=noresults_city&qid=1&sessionID=92f9dcf7a0d89eaa2b0bc8f2e4dfd460&token=d03d28781b196bd362b9aeb7844e8e85
- session_id() however is different from "$_GET[session_name()]" then
- The error occurs everytime a new session is used (e.g. accessing the
website and submitting the form for the first time int the session)
I found at least a workaround for that:
// Auto-Reset to correct session data
$sn=session_name();
if($_GET[$sn] != session_id())
{
$sessionSavePath=ini_get("session.save_path");
$oldSessionContent=file_get_contents($sessionSavePath."/sess_".$_GET[$sn]);
session_decode($oldSessionContent);
}
If the error occurs it is now fixed on-the-fly.
This works _everytime_ when the error occurs.
As I said before the session file exists, it is readable and can be
accessed without any problems, so itīs no wonder this workaround works.
------------------------------------------------------------------------
[2003-10-21 08:37:47] php at webfreezer dot com
Description:
------------
PHP sometimes does not want to use the sessionID given via GET! This
happens only on some occasions however it is reproducible on such a
certain page. I regret that I cannot post a short code snippet because
it simply does not happen when testing with a short code snippet.
What happens is the following:
- the SID is used as a GET parameter (this works on every other page!)
- $sidname=session_name(); echo $_GET[$sidname] outputs the correct SID
visible in the URL (e.g.
"/search.php?page=2&qid=1&sessionID=1291bfd78301f151803ca632cd41f626")
- however echo session_id() outputs a totally different SID!
- both (old and new) SID files exist and are readable
session.auto_start=0
session.use_cookies=0
session.use_only_cookies=0
session.referer_check=0
I even implemented my own session handler and it appears that PHP does
not even call the OPEN function for the "old" SID that it no longer
wants to use.
I also tried to use the generic PHPSESSID name instead of the custom
"sessionID" by not setting the custom name, but the problem still
exists.
This is my configure line:
'./configure' '--with-apache=../apache_1.3.28'
'--with-mhash=/usr/local/lib' '--with-zlib-dir=/usr/local/lib'
'--with-zip=/usr/local/lib' '--enable-memory-limit'
'--enable-versioning' '--with-gd' '--enable-exif'
'--with-config-file-path=/etc' '--enable-magic-quotes'
'--enable-thread-safety' '--with-gettext' '--with-xml' '--with-mcrypt'
'--enable-calendar' '--enable-bcmath' '--with-curl'
'--with-curlwrappers' '--enable-ftp' '--enable-wddx'
'--with-jpeg-dir=/usr/lib'
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=25934&edit=1
