PHP :: Request #17460 :: session parameters with trans-sid and no cookies

session parameters with trans-sid and no cookies

Submitted:

2002-05-27 13:53 UTC

Modified:

2002-06-01 09:16 UTC

Votes:	2
Avg. Score:	4.0 ± 1.0
Reproduced:	2 of 2 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

karoshi at gmx dot net

Assigned:

Status:

Closed

Package:

Feature/Change Request

PHP Version:

4.1.2

OS:

all i guess

Private report:

CVE-ID:

None

View Developer Edit

[2002-05-27 13:53 UTC] karoshi at gmx dot net

When cookies are disabled while using sessions+transsid, php adds a hidden field directly behind the form tag.
This has influence on the document-model of the created site: since all elements of the form can be adressed via javascript using an array (e.g. forms[0].elements[0]), the newly created hidden field shifts all members of the array by one point.
This can cause off-by-one errors when accessing the array with direct addresses, resulting in strange behaviours on the client (wrong line of data used etc) - only with cookies disabled.

Of course, there are other possibilities in adressing the elements, but there are some solutions that would ease the problem and stop php preventing the user from using one method of adressing the elements:
- put the hidden field right before the end-form tag (bad solution, object model is still affected, but additional elements at the end obviously cause less problems...)
- don't put the hidden field if the user manually uses SID in the form, e.g. in the action of the formtag (better solution, enabels advanced users to control how the object model is affected)

i think a combination of both methods would increase some inexperienced users sites (that never test their site without cookies) and experienced users can control the functionality.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-05-30 08:04 UTC] sniper@php.net

Look in php.ini for url_rewriter.tags directive. Just remove
the form=fakeentry and it won't automatically add that hidden field anymore.

[2002-05-31 08:49 UTC] karoshi at gmx dot net

Well.. I submitted this entry as a feature request and not as a bug report, so editing directives is only a workaround for the existing problem.

Of course there are plenty solutions for this specific problem, changing php.ini is only one of them, there's still the possiblities of more correct JS-Code etc.

Still, what I request is a *feature* :)

[2002-06-01 09:16 UTC] sniper@php.net

Yes, and that feature already exists. Just edit that directive and add the SID 'manually' in your script to
the forms. That way you have total control over it and
don't need to worry about this magic anymore.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Dec 25 00:00:01 2025 UTC