ID: 33526 Updated by: [EMAIL PROTECTED] Reported By: aaron at istockphoto dot com -Status: Open +Status: Feedback Bug Type: Session related Operating System: Slackware 9.1.0 PHP Version: 4.3.10 New Comment:
Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip Previous Comments: ------------------------------------------------------------------------ [2005-06-30 18:26:27] aaron at istockphoto dot com Description: ------------ This is related to the issue that was reported in Bug #25629 "session cookie being set to deleted when deleting a session" for version 4.3.1. I was not sure if I should try to re-open the old bug or submit a new one. My apologies. The problem is not with the session code, but is a side affect of the behavior of setcookie(). Following the example provided in the manual entries for session_destroy() and setcookie(), the value of the session cookie is not set to '' (empty string) as expected, but is set to 'deleted' instead. This shouldn't be an issue, except that if the client computers date is incorrectly set in the distant past (not uncommon) then the cookie will not be removed from the browser and will be used passed in the next request as "deleted". Within 24 hours of adding the the "setcookie('PHPSESSID', '', time() - 172800, '/', '.foo.bar')" line to our logout procedure we discovered that perhaps 40 visitors had shared the same session data. A a major security issue to be sure. We hacked our session handler object to not accept 'deleted' as a session ID. Either PHP should be updated to set the value of the cookie to an empty string as the setcookie() command insinuates it will be, or the manual entries for session_destroy(), setcookie(), and session_set_save_handler() should be updated to explain the current behavior. Thank you :) Headers sent in request response to illustrate actual values of cookies: HTTP/1.1 302 Found Date: Thu, 30 Jun 2005 15:30:12 GMT Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_ssl/2.8.22 OpenSSL/0.9.7d X-Powered-By: PHP/4.3.10 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=deleted; expires=Wed, 30-Jun -04 15:30:11 GMT; path=/; domain=.foo.bar Set-Cookie: somecookie=deleted; expires=Wed, 30-Jun -04 15:41:00 GMT; path=/; domain=.foo.bar location: /index.php Transfer-Encoding: chunked Content-Type: text/html Reproduce code: --------------- Source code: session_start(); setcookie('PHPSESSID', '', time() - 172800, '/', '.foo.bar'); setcookie('somecookie', '', time() - 172800, '/', '.foo.bar'); $_SESSION = array(); session_destroy(); header('location: /index.php'); Expected result: ---------------- The value of PHPSESSID cookie (or any other cooke) would be set to '' (empty string) Actual result: -------------- The value of PHPSESSID cookie (or any other cooke) is set to 'deleted' resulting in many users sharing the same session ID. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33526&edit=1