PHP :: Bug #29920 :: empty session_id() is created for Safari browser

Bug #29920	empty session_id() is created for Safari browser
Submitted:	2004-08-31 18:26 UTC	Modified:	2004-09-02 08:27 UTC
From:	mbarskey at seattletech dot com	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	4.3.8	OS:	Red Hat Linux release 7.3
Private report:	No	CVE-ID:	None

View Developer Edit

[2004-08-31 18:26 UTC] mbarskey at seattletech dot com

Description:
------------
PHP 4.3.8 under Linux Red Hat 7.3, Apache 1.3.31

session_id() returns a null or empty string when hit from the Safari browser under Mac OS X. The extremely simple sample code below works as expected from Netscape (7.2 OS X or 7.1 Win2K) and IE (5.2.3 OS X or 6.0.2800.1106 Win2K), but it creates a session without a session_id when hit from Safari for OS X. All Apache and PHP configurations are identical when hit by working browsers and by Safari.

The session gets created and seems to work fine, but there is no session_id. I'm concerned that if 2 different Safari users hit the page simultaneously, they would share the session file.

I'm somewhat of a PHP novice, and I've never posted a PHP bug before (I figured people who knew what they were doing would find a bug before I did!), so please don't flame me for doing this incorrectly; instead, tell me how I can better help you (or where I an find a solution - I've searched!). I searched for a previous bug with this decription before posting, but didn't find any. Also, I'm on a shared server, so I cannot try a CVS version.

My PHP installation info can be found at <a href='http://www.seattletech.com/phpinfo.php'>http://www.seattletech.com/phpinfo.php</a>. Just in case, here was the configure command:
'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-xml' '--enable-bcmath' '--enable-calendar' '--with-curl' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--with-gettext' '--with-imap' '--with-imap-ssl' '--with-kerberos' '--with-mcrypt' '--enable-magic-quotes' '--with-mysql' '--enable-discard-path' '--with-pear' '--enable-xslt' '--with-xslt-sablot' '--enable-sockets' '--enable-track-vars' '--with-ttf' '--with-freetype-dir=/usr' '--enable-gd-native-ttf' '--enable-versioning' '--with-zlib' 

...and here is the session info:
Session Support  enabled  
Registered save handlers  files user  

Directive Local Value Master Value 
session.auto_start Off Off 
session.bug_compat_42 On On 
session.bug_compat_warn On On 
session.cache_expire 180 180 
session.cache_limiter nocache nocache 
session.cookie_domain no value no value 
session.cookie_lifetime 0 0 
session.cookie_path / / 
session.cookie_secure Off Off 
session.entropy_file no value no value 
session.entropy_length 0 0 
session.gc_divisor 100 100 
session.gc_maxlifetime 1440 1440 
session.gc_probability 1 1 
session.name PHPSESSID PHPSESSID 
session.referer_check no value no value 
session.save_handler files files 
session.save_path /tmp /tmp 
session.serialize_handler php php 
session.use_cookies On On 
session.use_only_cookies Off Off 
session.use_trans_sid On On 

...and here is the .htaccess file I'm using:
php_value session.save_handler 'user'
php_value session.save_path 'php_sessions'
php_value auto_prepend_file '/home/seattlet/public_html/registration/mysql_session_handler.php'
php_value include_path ".:../"
php_flag register_globals off
php_flag session.use_trans_sid 1
php_flag log_errors 1
php_value error_log '/home/seattlet/public_html/registration/error_log.txt'
php_flag cgi.rfc2616_headers 0

Thanks!

- Mike

Reproduce code:
---------------
<?php
session_start();

$_SESSION['id'] = session_id();

print("the session id is: ".$_SESSION['id']);
?>

Expected result:
----------------
the session id is: bf76a978c98f980340bcfffe87987e22

Actual result:
--------------
the session id is:

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-09-01 09:46 UTC] derick@php.net

If safari is the only browser that borks, why do you think it's a bug in PHP?

[2004-09-01 16:53 UTC] mbarskey at seattletech dot com

I'm not sure it's a PHP bug. But since PHP creates the session files and the session_id (web browsers don't), I thought the problem of certain sessions not getting a session_id was PHP's fault - even though it only seems to happen for one browser.

- Mike

[2004-09-01 18:27 UTC] mbarskey at seattletech dot com

I forgot to mention: I tried having Safari "disguise" itself by sending other browsers' ID's in the header, but it didn't help.

- Mike

[2004-09-02 02:21 UTC] mbarskey at seattletech dot com

I learned that it is not every instance of Safari that causes PHp to create a null session_id! I am using Safari 1.2.3 v125.9 under OS X 10.3.5 build 7M34 and I get sessions with null session_ids. A version of Safari 1.2.2 v125.8 under OS 10.3.4 seems to have PHP create sessions with a valid session_ids!

This sure looks like there is something specific about the one computer/environment causing the problem, but it still looks to me like it is PHP that is actually having the problem: Something about this one client environment is telling the PHP engine on the server to create a null session_id. No?

- Mike

[2004-09-02 08:27 UTC] derick@php.net

Yes, or they are not accepting a cookie or something. Anyway, this is then definitely not a bug in PHP but a browser-related issue. IE: safari is broken :) Marking as bogus.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Aug 16 19:01:28 2024 UTC