PHP :: Bug #67694 :: Regression in session_regenerate

Bug #67694

Regression in session_regenerate_id()

Submitted:

2014-07-28 09:06 UTC

Modified:

2014-09-01 07:33 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

atze at fem dot tu-ilmenau dot de

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Session related

PHP Version:

5.6.0RC2

OS:

GNU/Linux i386

Private report:

CVE-ID:

None

View Developer Edit

[2014-07-28 09:06 UTC] atze at fem dot tu-ilmenau dot de

Description:
------------
session_regenerate_id() does still regenerate the session id, it does still keep the session data, but the session data is not stored (e.g. in session file). The session data is available in the running PHP process after session_regenerate_id() is called, but it disappears after that. So the next access is processed with an empty session.

Related settings in php.ini:

session.save_handler = files
session.save_path = "/var/lib/php5" 
(ownership and ACLs are fine)
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain = <FQDN of server>
session.cookie_httponly = 0
session.serialize_handler = php
session.gc_probability = 0
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 0
session.hash_bits_per_character = 5

The code in session.c looks weird, like it is supposed to delete the old session and then create a new one, nothing that looks like "copy the data". Maybe $_SESSION is just by accident still in memory after calling this function, but the documentation clearly states that the session data is preserved by this function call.

The relation to bug #61470 is that the file is not created on the end of the PHP processing - it is created never at all.

Test script:
---------------
<?php

session_start();
$session1 = session_id();
if (!isset($_SESSION['init'])) { $_SESSION['init'] = date('Y-m-d H:i:s'); }

$init1 = @$_SESSION['init'].'<br/>';
session_regenerate_id(false);

echo $init1;
echo @$_SESSION['init'].'<br/>';
echo 'session id1 ' . $session1;
echo '<br />session id2 ' . session_id();
?>


Expected result:
----------------
Result on PHP 5.4.x:

<Timestamp of session start, does not change when pressing F5>
<session name (== session name 2 of last access>
<session name 2 (must be different)>

Actual result:
--------------
Result on PHP 5.6RC2:

<Current timestamp>
<session name (== session name 2 of last access>
<session name 2 (must be different)>

Patches

write-short-circuit-fix (last revision 2014-08-23 14:18 UTC by tyrael@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-08-22 09:09 UTC] atze at fem dot tu-ilmenau dot de

This bug is still present in RC4 on multiple OS

[2014-08-22 23:56 UTC] tyrael@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: yohgaki

[2014-08-22 23:56 UTC] tyrael@php.net

sorry for not spotting this sooner (I remembered that I checked this and couldn't repro, but maybe I just remember wrong).
I was able to reproduce the issue with RC4, from a quick search, it seems that this was introduced with
http://git.php.net/?p=php-src.git;a=commit;h=554021d21e1b2517313a377676260c188152c2eb
http://bugs.php.net/17860
Assigning this Yasuo, but others are also welcome to look into this.

[2014-08-23 00:47 UTC] datibbaw@php.net

I've tried to write a test case against this, but unfortunately it passes on 5.6; perhaps somebody can improve it?

https://gist.github.com/datibbaw/6fd22f567f1ef2436ddb

[2014-08-23 01:22 UTC] datibbaw@php.net

Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ce9bdae33f101ff85c08d32ce5c2c6502a451d62
Log: Fixed #67694: Regression in session_regenerate_id()

[2014-08-23 01:22 UTC] datibbaw@php.net

-Status: Verified +Status: Closed

[2014-08-23 07:15 UTC] tyrael@php.net

The following patch has been added/updated:

Patch Name: write-short-circuit-fix
Revision:   1408778157
URL:        https://bugs.php.net/patch-display.php?bug=67694&patch=write-short-circuit-fix&revision=1408778157

[2014-08-23 07:19 UTC] tyrael@php.net

ignore the first patch, I screwed up.

[2014-08-23 14:18 UTC] tyrael@php.net

The following patch has been added/updated:

Patch Name: write-short-circuit-fix
Revision:   1408803509
URL:        https://bugs.php.net/patch-display.php?bug=67694&patch=write-short-circuit-fix&revision=1408803509

[2014-08-23 14:22 UTC] tyrael@php.net

duh, dattibaw already fixed it, should have refreshed my browser since commenting yesterday. :/

[2014-08-24 11:08 UTC] atze at fem dot tu-ilmenau dot de

short testing yields this :(

[pid 11627] open("/var/lib/php5/sess_0q1md3dakrcv8g2cu083ef6835", O_RDWR|O_CREAT|O_LARGEFILE|O_NOFOLLOW, 0600) = 6
[pid 11627] fstat64(6, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
[pid 11627] getuid32()                  = 33
[pid 11627] flock(6, LOCK_EX)           = 0
[pid 11627] fcntl64(6, F_SETFD, FD_CLOEXEC) = 0
[pid 11627] fstat64(6, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
[pid 11627] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x8771af7} ---


But maybe I broke the build. Will test again, but that will take 2 days.

[2014-08-24 16:03 UTC] atze at fem dot tu-ilmenau dot de

This is the backtrace... can anyone reproduce this?

Program received signal SIGSEGV, Segmentation fault.
php_sprintf (s=0x8771af7 "%s|%s", format=0xb74c9830 "1crisadvoi8p7pv7r833mn2qr3") at /usr/src/php/php5-5.6.0RC4/main/php_sprintf.c:37
37        s[0] = '\0';
(gdb) bt
#0  php_sprintf (s=0x8771af7 "%s|%s", format=0xb74c9830 "1crisadvoi8p7pv7r833mn2qr3") at /usr/src/php/php5-5.6.0RC4/main/php_sprintf.c:37
#1  0x081bfebf in php_session_initialize () at /usr/src/php/php5-5.6.0RC4/ext/session/session.c:522
#2  0x081c0730 in php_session_start () at /usr/src/php/php5-5.6.0RC4/ext/session/session.c:1618
#3  0x081c1619 in zif_session_start (ht=0, return_value=0xb74c948c, return_value_ptr=0xb74ae088, this_ptr=0x0, return_value_used=0)
    at /usr/src/php/php5-5.6.0RC4/ext/session/session.c:2098
#4  0x083decb0 in execute_internal (execute_data_ptr=0xb74ae094, fci=0x0, return_value_used=0) at /usr/src/php/php5-5.6.0RC4/Zend/zend_execute.c:1512

[2014-08-24 16:09 UTC] atze at fem dot tu-ilmenau dot de

Oh never mind, I also screwed up :)

[2014-08-27 03:17 UTC] tyrael@php.net

Automatic comment on behalf of datibbaw
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e60d39581a8fb7e0d8cabd5c2d44d35e01d2969c
Log: Fixed #67694: Regression in session_regenerate_id()

[2014-09-01 07:33 UTC] yohgaki@php.net

I didn't notice the notification mails, sorry.
If there is any leftover, please let me know.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC