PHP :: Bug #39833 :: Session variables overwritten by local variables (SSL, register

Bug #39833	Session variables overwritten by local variables (SSL, register_globals=off)
Submitted:	2006-12-14 14:33 UTC	Modified:	2006-12-19 11:58 UTC
From:	sup1382 at accedo dot es	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5.2.0	OS:	OpenBSD 3.9
Private report:	No	CVE-ID:	None

View Developer Edit

[2006-12-14 14:33 UTC] sup1382 at accedo dot es

Description:
------------
Session variables are being overwritten by local variables with everything (that I've checked) set as default, register_globals=off, bug_compat_42=off, etc.

In my workstation (Fedora Core 5), I get the correct output.

(Surprisingly first time I execute the script in the OpenBSD  box I get the correct output. Then always the buggie one).

This are the options used in 'configure':

--with-apxs=/usr/sbin/apxs  --without-mysql --enable-xml --enable-wddx --enable-cli --with-gettext=/usr/local/base/ --enable-dio --with-pear=/usr/share/pear --enable-bcmath --enable-session --enable-trans-sid --enable-calendar --enable-ctype --enable-ftp --with-pcre-regex --with-posix --enable-sockets --enable-sysvsem --enable-sysvshm --enable-yp --enable-exif --without-sqlite

(Copied from the OpenBSD ports, the same problem applies also to the packaged version in OpenBSD 3.9, PHP 5.05, I've recompiled and tested with 5.2 to check if the problem continues, and it does).





Reproduce code:
---------------
<?php

session_start();
$_SESSION["test"] = "test";
$test = null;
print("<br>Local var test: '".$test."'");
print("<br>Session var test: '".$_SESSION["test"]."'");

?>



Expected result:
----------------
Local var test: ''
Session var test: 'test'


Actual result:
--------------
Local var test: ''
Session var test: ''

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-12-14 19:14 UTC] judas dot iscariote at gmail dot com

works as expected here, are you sure register_globals is disabled ?

[2006-12-14 22:48 UTC] sup1382 at accedo dot es

Yes, absolutely. The most strange behavior, is that first output is ok, then always the bad one.

[2006-12-14 23:07 UTC] sup1382 at accedo dot es

BTW, in my parameters of 'config' there was one directory wrong --with-gettext=/usr/local/base/ is really --with-gettext=/usr/local/bin/ 

I've made a symlink to avoid this, but I believe this problem has nothing to do with gettext (same result anyway)

[2006-12-15 09:55 UTC] tony2001@php.net

Add phpinfo() to end of this code and put the URL here.

[2006-12-15 11:10 UTC] sup1382 at accedo dot es

Ups, this is a hosting production server I prefer, too much server info to disclose it to the public, if it is posible I'll send you by mail the url

[2006-12-15 11:31 UTC] sup1382 at accedo dot es

I've send you by mail the URLs, I've forgotten to write here that this script was running under a SSL connection, this seems to be a important fact becouse testing under the standard port doesn't produce any errors, this appears only under SSL, as you can see in the URLs.

[2006-12-15 11:46 UTC] tony2001@php.net

I am currently away from my computer and don't have access to my mailbox.

[2006-12-15 11:49 UTC] sup1382 at accedo dot es

If you have any webmail (Gmail-Hotmail, etc) account I'll send you again the URLs, or I'll wait no problem.

[2006-12-18 10:53 UTC] tony2001@php.net

[2006-12-19 10:14 UTC] sup1382 at accedo dot es

[2006-12-19 10:23 UTC] sup1382 at accedo dot es

I've checked that in a SSL connection, register_globals always is being "on" (yet in 5.2 version), php.ini is right parsed, and there register_globals is off, I know it because several personalized vars are ok (include_path, etc), but register_globals always stay true, no matter what I put in php.ini, or httpd.conf (php_flag register_globals off, etc). No problems in normal transmision (port 80). Seems to be a very big problem for only being suffered by me. Anybody using SSL with register_globals=off out there without problems?

[2006-12-19 10:29 UTC] tony2001@php.net

Please make sure you're using right php.ini (the correct one can be found in phpinfo()), restarted Apache and did not set register_globals in VirtualHost section, htaccess etc. etc.

[2006-12-19 11:54 UTC] sup1382 at accedo dot es

Ok, now I understand what happened, I had a (%$*"&!!) "php_admin_value register_globals on" in the <VirtualHost [ip]> section of the ssl subdomain, in httpd.conf, the problem was that version 5.05 don't reflected this change [phpinfo() shows register_globals as off, even with this line activated in httpd.conf], things get clearer with v.5.2

Thank you for the support and sorry for the bogus info.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon May 12 17:01:28 2025 UTC