PHP :: Bug #22117 :: Session vars inappropriately created as references

Bug #22117

Session vars inappropriately created as references

Submitted:

2003-02-07 17:41 UTC

Modified:

2003-05-22 17:11 UTC

Votes:	5
Avg. Score:	4.4 ± 0.8
Reproduced:	5 of 5 (100.0%)
Same Version:	5 (100.0%)
Same OS:	2 (40.0%)

From:

phpbugs at brianmertens dot com

Assigned:

sas (profile)

Status:

Closed

Package:

Session related

PHP Version:

4.3.0

OS:

Win NT 4

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	phpbugs at brianmertens dot com
New email:
PHP Version:		OS:

New Comment:

[2003-02-07 17:41 UTC] phpbugs at brianmertens dot com

It took me a while to track this down...
we noticed that when we upgraded a develpment box
from 4.2.3 to 4.3.0, that one of our session vars
was being over-written by another.

It turns out that one was being serialized 
to the session as a reference to the other,
but only if the vars were intialized like this:

 $var1 = $var2 = "some value";

Consider two scripts, test_bug1.php and test_bug2.php

If you run test_bug1, and then test_bug2, surprisingly,
the output of test_bug2 will be:

BEFORE:
var1 = 'INITIALIZED'
var2 = 'INITIALIZED'

AFTER:
var1 = 'CHANGED'
var2 = 'CHANGED'

<?php
// test_bug1.php
session_start();

$var1 = $var2 = "INITIALIZED";
session_register("var1","var2");

echo "INIT:<br>\n";
echo "var1 = '$var1'<br>";
echo "var2 = '$var2'<br><p>";

echo "<a href='test_bug2.php'>test_bug2.php</a>";

?>

<?php
// test_bug2.php
session_start();

echo "BEFORE:<br>\n";
echo "var1 = '$var1'<br>\n";
echo "var2 = '$var2'<br><p>\n";

$var2 = "CHANGED";

echo "AFTER:<br>\n";
echo "var1 = '$var1'<br>\n";
echo "var2 = '$var2'<br><p>\n";

$var2 = "EXIT";

?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-02-09 16:07 UTC] phpbugs at brianmertens dot com

Here's the contents of the session file,
immediately after execution of my first
test script test_bug1.php, from versions
4.2.2 and 4.3.0:

session file from 4.2.2:
var1|s:11:"INITIALIZED";var2|s:11:"INITIALIZED";

session file from 4.3.0:
var1|s:11:"INITIALIZED";var2|R:1;

[2003-02-09 16:33 UTC] phpbugs at brianmertens dot com

Actually, I have created a simpler test case,
which produces the behaviour in one script,
and BEFORE serialization:

<?php
// bug3.php
session_start();
$var1 = $var2 = "INITIALIZED";
session_register("var1","var2");
$var2 = "CHANGED";
echo $var1."<br>";
echo $var2."<br>";
?>

Actual Output in 4.3.0:
CHANGED
CHANGED

Session data after execution
var1|s:7:"CHANGED";var2|R:1;

So it seems that $var2 is a reference of $var1,
but only if the session_start and session_register
functions are called.

Notes:
The bug occurs even if the "session_start();" and the "$var1 = $var2 = "INITIALIZED";" lines are swapped.

The buggy behaviour disappears if I move the line
"$var2 = "CHANGED"" above the session_register() call.

[2003-02-09 16:36 UTC] phpbugs at brianmertens dot com

Further searching makes me think that this may be
related to Bug #20583 :
http://bugs.php.net/bug.php?id=20583

[2003-02-10 12:54 UTC] phpbugs at brianmertens dot com

A colleague points out that this script also
produces the buggy behaviour.

<?php
session_start();
$var1 = "INITIALIZED";
$var2 = $var1;
session_register("var1","var2");
$var2 = "CHANGED";
echo $var1."<br>";
echo $var2."<br>";
?>

[2003-02-10 13:03 UTC] sniper@php.net

Just FYI, the following script works as expected:

<?php
session_start();

if (!isset($_SESSION['var1'])) {
    $_SESSION['var1'] = "INITIALIZED";
    $_SESSION['var2'] = $_SESSION['var1'];
    $_SESSION['var2'] = "CHANGED";
}

var_dump($_SESSION);
  
?>

[2003-02-17 13:18 UTC] jneil at myersinternet dot com

While there are some new cautionary notes regarding mixing the use of $_SESSION and session_register (and the other session functions), the example below (and the examples in related bugs) do not mix the two means of accessing session variables.  As the session_* functions have not been designated as deprecated code, current members of the PHP coding community must assume that these functions are still supported and should work.  Given that the code below from brianmertens is valid PHP syntax but yet shows a weakness in the session_register functions (possibly due to pointer problems in the underlying code given the nature of the error), this seems worthy of actually working on instead of pointing out similar code (although with a different approach and function list) that does not have the bug.  Are the developers of the PHP engine going to fix session_register or are they going to force the thousands of PHP developers who have used this function in good faith for several years to abandon it?

[2003-05-22 16:31 UTC] phpbugs at brianmertens dot com

Works with 4.3.2RC4.

This seems to be fixed sometime between 4.3.0 and 4.3.2RC4.

I guess this can be closed.

[2003-05-22 17:11 UTC] sniper@php.net

fixed -> closed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Nov 03 04:00:01 2025 UTC