php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #15096 Sessions with null session ID in the cookie crash PHP
Submitted: 2002-01-18 05:03 UTC Modified: 2002-04-19 21:45 UTC
Votes:5
Avg. Score:4.4 ± 0.8
Reproduced:4 of 5 (80.0%)
Same Version:2 (50.0%)
Same OS:2 (50.0%)
From: goran dot krajnovic at hinet dot hr Assigned:
Status: Closed Package: Session related
PHP Version: 4.1.1 OS: Linux i686 2.4.16 SMP
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2002-01-18 05:03 UTC] goran dot krajnovic at hinet dot hr 
First some brief history: last time I developed a session-based app with PHP 4.0.6, sometimes and without a pattern when deleting a session the client would end up with a session cookie which said "PHPSESSID=deleted". The next time he visited the site his session would have the ID "deleted" and when two users triggered the same bug they would both end up as being logged in as someone else. So I put in a simple check in my code which would forcibly kill the session, delete the cookie and set the new session name to something random.

A version of the code under PHP 4.1.1 crashes PHP and causes "[notice] child pid 14151 exit signal Segmentation fault (11)" in Apache's error log.

Here is a sample page which triggers PHP to crash: (if the html gets messed up email me for a copy)

------------------- snip session-tester.php

<html>
<head><title>test</title>
</head>
<body>
<?php

function tableprint( $array )
{
        // this looks better than var_dump()
        echo "<table border=1>";
        while( list( $n, $v ) = each( $array ) )
        {
                echo "<tr><td>$n</td><td>$v</td></tr>\n";
        }
        echo "</table>\n";
}

        // if we got called with ?logout=true then the user wants to end the session.
        if (isset($HTTP_GET_VARS["logout"]))
        {
                session_start(); // it wasnt called yet.
                session_unset();
                session_destroy();

                // REFERENCE #1 (OK)
//              setcookie(session_name(), session_id(), 0);

                // REFERENCE #2 (NOT OK) - crashes
//              setcookie(session_name());

//              different ways of doing things after logging out - echoing 'you are logged out' or redirecting back
//              into a new session.
//              header("Location: /session-tester.php");
                echo "Okie, you are logged out... click <a href=\"$HTTP_SERVER_VARS[SCRIPT_NAME]\">here</a>.</html>";
                exit;
        }
        else // user is not logging out
        {
                session_start();
                session_register("somevar");
                $HTTP_SESSION_VARS["somevar"]++;
        }
?>
        Welcome to the session tester. <br><br>
        Click <a href="<?=$HTTP_SERVER_VARS[SCRIPT_NAME]?>?logout=true">here</a> to log out (reset session).<br><br>
        Your session variable 'somevar' currently has the value <?=$HTTP_SESSION_VARS["somevar"]?>.<br><br>
        Your session cookie has the following parameters:<br><br>
<?php
        $p = session_get_cookie_params();
        tableprint($p);
        echo "<br>Your \$HTTP_COOKIE_VARS contains:<br><br>";
        tableprint($HTTP_COOKIE_VARS);
?>
</body>
</html>

------------------- snip session-tester.php


When opening the page, the session is initialized. If the page is requested with ?logout=true, we enter the critical piece of code. If 'reference #1' line is uncommented, everything works fine and the cookie is deleted (well, in some browsers, at least) which is the behaviour I want.

However, line reference #2 (setcookie(session_name());) when uncommented causes the client to store the session cookie with PHPSESSID="". On subsequent requests to the page this crashes the server's process. There is no way that the client with the null session ID cookie can browse this page without crashing the server process, and there is no way that the server can delete that cookie. The client has to close the browser to end the session and destroy the cookie and only then it will work again. Tested on IE6, Mozilla 0.9.7, Konqueror, etc.


GDB-ing httpd -X gives this:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 12935)]
zend_hash_internal_pointer_reset_ex (ht=0x0, pos=0xbfffeea8) at zend_hash.c:984
984                     *pos = ht->pListHead;
(gdb) where
#0  zend_hash_internal_pointer_reset_ex (ht=0x0, pos=0xbfffeea8) at zend_hash.c:984
#1  0x080903bb in php_session_save_current_state () at session.c:544
#2  0x08092530 in php_session_flush () at session.c:1381
#3  0x08092553 in zm_deactivate_session (type=1, module_number=12) at session.c:1393
#4  0x080f1011 in module_registry_cleanup (module=0x824a1a8) at zend_API.c:1165
#5  0x080f296c in zend_hash_apply (ht=0x81efaa0, apply_func=0x80f0fe4 <module_registry_cleanup>) at zend_hash.c:675
#6  0x080ee5b1 in zend_deactivate_modules () at zend.c:585
#7  0x0806e22f in php_request_shutdown (dummy=0x0) at main.c:723
#8  0x080f6ca3 in apache_php_module_main (r=0x8284840, display_source_mode=0) at sapi_apache.c:96
#9  0x0806c750 in send_php ()
#10 0x0806c79e in send_parsed_php ()
#11 0x0814d83f in ap_invoke_handler ()
#12 0x0815c57f in process_request_internal ()
#13 0x0810f11b in mod_gzip_redir1_handler ()
#14 0x0810e18a in mod_gzip_handler ()
#15 0x0814d83f in ap_invoke_handler ()
#16 0x0815c57f in process_request_internal ()
#17 0x0815c5e2 in ap_process_request ()
#18 0x0815614c in child_main ()
#19 0x081562cb in make_child ()
#20 0x081563dc in startup_children ()
#21 0x081568d9 in standalone_main ()
#22 0x08157004 in main ()
#23 0x4071c306 in __libc_start_main (main=0x8156cf8 <main>, argc=2, ubp_av=0xbffffcf4, init=0x8069878 <_init>, fini=0x8175b90 <_fini>,
    rtld_fini=0x4000d2dc <_dl_fini>, stack_end=0xbffffcec) at ../sysdeps/generic/libc-start.c:129


PHP was compiled with  './configure' '--prefix=/usr/local/superuser/php' '--with-apache=../apache_1.3.22' '--enable-track-vars' '--with-config-file-path=/usr/local/superuser/conf' '--enable-safe-mode' '--enable-sigchild' '--with-gd' '--with-jpeg-dir' '--with-zlib' '--with-oci8=/opt/oracle/8i/u01/app/oracle/product/8.1.5' '--enable-apc' '--without-mysql'

And apache is 1.3.22 compiled with mod_gzip, mod_php4, mod_ssl, mod_setenvif, mod_so, mod_usertrack, mod_headers, mod_expires, mod_cern_meta, mod_proxy, mod_auth_anon, mod_auth, mod_access, mod_rewrite, mod_alias, mod_speling, mod_actions, mod_imap, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_info, mod_status, mod_negotiation, mod_mime, mod_mime_magic, mod_log_referer, mod_log_agent, mod_log_config, mod_env, http_core.

Since I'm using Oci8, yes, I did link apache with libpthread.

Any other info required -> e-mail me.

Goran.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-18 10:07 UTC] sander@php.net 
Marking as critical until this is checked out.
 [2002-02-03 19:56 UTC] yohgaki@php.net 
I haven't look a this report closely, but the backtrace is similar to that I've seen. It may be fixed by my patch. Assigned to me for now.
 [2002-03-05 18:35 UTC] yohgaki@php.net 
This bug has been fixed in CVS.

It's probably fixed in CVS. Please reopen if there is the problem.
 [2002-04-19 21:45 UTC] sniper@php.net 
Pleasre try PHP 4.2.0RC4 from http://www.php.net/~derick/
and reopen if it still crashes.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon May 20 12:01:33 2024 UTC