php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #30026 Session variables lost with include through http
Submitted: 2004-09-08 14:58 UTC Modified: 2004-09-15 17:00 UTC
From: p dot kruijsen at mssm dot nl Assigned:
Status: Not a bug Package: Session related
PHP Version: Irrelevant OS: Windows XP / Redhat Linux
Private report: No CVE-ID: None
View Developer Edit
 [2004-09-08 14:58 UTC] p dot kruijsen at mssm dot nl 
Description:
------------
When include()ing a url through HTTP, $_SESSION variables in the requested page are lost. Opening the same url by hand does preserve the $_SESSION variables.

Testcase:
Bootstrap a session variable on server1. (OK)
Test bootstrap by invoking script on server1. (OK)
Invoke script on server2 that includes script on server1. ($_SESSION is lost)

This behaviour occurs on various operating systems with various up to date versions of PHP. I suspect this to be some form of security guarantee built into PHP. However, I see no difference in security level between include()ing a file in a script and opening it by hand.

Reproduce code:
---------------
<?php
// server1.com/bootstrap.php
session_start();
$_SESSION['bootstrap'] = 'OK';
echo('OK');
?>

<?php
// server1.com/test.php
session_start();
$_SESSION['server1'] = 'OK';
echo('<pre>server1: $_SESSION = ');
print_r($_SESSION);
echo('</pre>');
?>

<?php
// server2.com/test.php
session_start();
include('http://server1.com/test.php');
$_SESSION['server2'] = 'OK';
echo('<pre>server2: $_SESSION = ');
print_r($_SESSION);
echo('</pre>');
?>

Expected result:
----------------
// invoke server1.com/bootstrap.php
OK

// invoke server1.com/test.php
server1: $_SESSION = Array
(
    [bootstrap] => OK
    [server1] => OK
)

// invoke server2.com/test.php
server1: $_SESSION = Array
(
    [bootstrap] => OK
    [server1] => OK
)
server2: $_SESSION = Array
(
    [server2] => OK
)


Actual result:
--------------
// invoke server2.com/test.php
server1: $_SESSION = Array
(
    [server1] => OK
)
server2: $_SESSION = Array
(
    [server2] => OK
)

// Ths initial bootstrap variable is missing from $_SESSION on server1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-09-08 17:21 UTC] rasmus@php.net 
You are assuming a URL include will send cookie information along with the request.  That is not the case.  You will have to do that yourself if that is what you want.  See php.net/curl for everything you need to send a request which includes the session cookie.
 [2004-09-15 14:17 UTC] p dot kruijsen at mssm dot nl 
Please not that I am not trying to send any session or cookie information along with my request. I specifically want to use the session information that is already present at the server to which I make the request.
Maybe it's better to assume a 'fopen' rather then an 'include'. If I sign in to server.com and type http://server.com/check by hand in a browser, I might recieve a 'You are signed in' message based on a $_SESSION variable that was set. If I fopen(http://server.com/check) from another server and print the contents I get 'You are not signed in, please sign in'. The $_SESSION variable that is already present and set at server.com (this is the key: I'm not sending anything!) is not used when opening the server.com/check url via fopen() or include(). I cannot understand the difference between opening a URL by hand or by opening it and showing its contents via fopen().
Hope this clarifies. Thanks.
 [2004-09-15 14:21 UTC] derick@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

This is still not a bug. Please go to our support channels.
 [2004-09-15 17:00 UTC] rasmus@php.net 
You don't understand how sessions work then.  It doesn't matter that the session data is on the server.  Unless you send the session identifier with your request you won't be able to get it.  When you fopen() or include over HTTP the session cookie is not sent with the request because you haven't told it you wanted to send it.  Like I said before, if you want to do this use the curl functions and explicitly send the session cookie with your request.  Further questions should be on the support mailing lists.  This is not a support forum.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Dec 08 05:00:01 2025 UTC