PHP :: Bug #24169 :: session cookie being incorrectly sent

Bug #24169	session cookie being incorrectly sent
Submitted:	2003-06-13 03:51 UTC	Modified:	2003-06-13 15:32 UTC
From:	steveh at brendata dot co dot uk	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	4.3.2	OS:	NT4 SP6a
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-06-13 03:51 UTC] steveh at brendata dot co dot uk

Description:
------------
For session handling a cookie should be set as follows:
<session name>=<session id>
This was previously working, but since upgrading to 4.3.2 we now see cookies set as follows:

<session id>=<session id>

As a result sessions are not carried over and a new session is started for every access (i.e. no cookie called PHPSESSID or whatever is in the php.ini)

Here's the relevant chunk of phpinfo output that demonstrates this.

_SERVER["HTTP_COOKIE"] CookieProductID=94; a9c7fa405401e831e6ada0ee31f67ea3=a9c7fa405401e831e6ada0ee31f67ea3; caec00776094cd5017fa35e41162333b=caec00776094cd5017fa35e41162333b; 139632a02257356caa27c86256afcb70=139632a02257356caa27c86256afcb70; 0ba5beadf45c35245e67c1f67ffc70dc=0ba5beadf45c35245e67c1f67ffc70dc; b7f2e2e4a196a620f318f16034a8192b=b7f2e2e4a196a620f318f16034a8192b; 6ca2b668932e46c85528d399fad50541=6ca2b668932e46c85528d399fad50541; 913a5a99fa54ccd33b610b3f882d132d=913a5a99fa54ccd33b610b3f882d132d; a7c7085d672b5e885476dabdc096ca9f=a7c7085d672b5e885476dabdc096ca9f; 04a257bf48fef943fb1d4ed508970140=04a257bf48fef943fb1d4ed508970140; d269823ce913782241613e3791935d11=d269823ce913782241613e3791935d11; edc78b150437138fb1d14915a97dee87=edc78b150437138fb1d14915a97dee87; 50212bca7b517a57521305d72a6c43c9=50212bca7b517a57521305d72a6c43c9; 68c37f0103351348dd1e705847e2f6d3=68c37f0103351348dd1e705847e2f6d3; 78d96155c83ee77e3fc3b69731b428a4=78d96155c83ee77e3fc3b69731b428a4; e7b52247b003b85c04d942721879206a=e7b52247b003b85c04d942721879206a; f3d20ebc7068137eaa7b3461eab64d62=f3d20ebc7068137eaa7b3461eab64d62; c3940ed02170d481105849b74b6d3cb8=c3940ed02170d481105849b74b6d3cb8; e8109d59aca1442f4cd7fa5358410c30=e8109d59aca1442f4cd7fa5358410c30; 2a0f643e85d2b21003958bb47c2a2d4d=2a0f643e85d2b21003958bb47c2a2d4d 

Reproduce code:
---------------
<?php

session_start();
$_SESSION["FRED"]=1;
echo session_id();
phpinfo();

?>

Expected result:
----------------
The same session id for each open, and PHPSESSID seen as a cookie in the headers.

Actual result:
--------------
Different session id's each time, and a growing list of <session id>=<session id> cookies.

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-06-13 07:28 UTC] sniper@php.net

And what might be the relevant php.ini options..?
(the ones with "session." prefix)

[2003-06-13 07:35 UTC] steveh at brendata dot co dot uk

Here they are.
Files do get created in the php\sessiondata directory, this worked fine with 4.3.1 (and the same php.ini file), it has stopped since upgrading to 4.3.2.

Directive Local Value Master Value 
session.auto_start Off Off 
session.bug_compat_42 Off Off 
session.bug_compat_warn Off Off 
session.cache_expire 180 180 
session.cache_limiter nocache nocache 
session.cookie_domain no value no value 
session.cookie_lifetime 0 0 
session.cookie_path / / 
session.cookie_secure Off Off 
session.entropy_file no value no value 
session.entropy_length 0 0 
session.gc_divisor 100 100 
session.gc_maxlifetime 1440 1440 
session.gc_probability 1 1 
session.name PHPSESSID PHPSESSID 
session.referer_check no value no value 
session.save_handler files files 
session.save_path C:\PHP\sessiondata C:\PHP\sessiondata 
session.serialize_handler php php 
session.use_cookies On On 
session.use_only_cookies Off Off 
session.use_trans_sid Off Off

[2003-06-13 07:45 UTC] sniper@php.net

What webserver are you using? And which SAPI module?
Does this happen with any browser?

[2003-06-13 07:52 UTC] steveh at brendata dot co dot uk

This is with IIS4 and it's an issue in all versions of Internet explorer we have at hand, including 6.0.2800 (XP SP2)

using php4isapi.dll (

[2003-06-13 09:14 UTC] sniper@php.net

remove that phpinfo() from your test script
and use telnet to connect to the webserver and request
the script (e.g. GET /test.php HTTP/1.0). Then paste the output here.

[2003-06-13 09:49 UTC] steveh at brendata dot co dot uk

Unfortunately, the server on which this resides requires authentication, can you quickly paste the format for basic authentication username/password?

[2003-06-13 10:04 UTC] sniper@php.net

Uh..maybe it's easier if you use lynx:

# lynx -dump -head http://localhost/test.php

[2003-06-13 10:05 UTC] sniper@php.net

forgot the auth parameter:

-auth=id:pw

[2003-06-13 10:12 UTC] steveh at brendata dot co dot uk

That looks fine, I also tried on the larger app that is really causing the problems and that looks fine as well?

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Fri, 13 Jun 2003 15:10:57 GMT
Content-type: text/html
X-Powered-By: PHP/4.3.2
Set-Cookie: PHPSESSID=d1ed576c229f8c72edf65eee70a1bd9f; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

[2003-06-13 10:12 UTC] steveh at brendata dot co dot uk

I'm just going to tcpdump the traffic going between the IIS and the Client PC to see whether that shows more.

[2003-06-13 10:16 UTC] steveh at brendata dot co dot uk

Now I'm totally foxed, it's working again, but IIS has not been restarted, neither has the browser on my PC and notjing has changed in the INI file.
I'll get the vardump of $_COOKIE again.

There is now just that single cookie set PHPSESSID.

[2003-06-13 10:28 UTC] steveh at brendata dot co dot uk

This now seems to fall into the same description a sthe other session bugs, failing randomly, I thought we'd caught the definitive problem here, dont' understand how the cookies became corrrupted though?

I wish I'd traced the session when it was wrong, as new cookies were appearing during my tests (id=id rather than PHPSESSID=id.

[2003-06-13 15:32 UTC] sniper@php.net

Reopen if it happens again and you can prove it's some
bug in PHP and not in your script/browser/IIS/etc..

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Aug 17 22:01:28 2024 UTC