PHP :: Request #31369 :: session_destroy() and/or session_write

session_destroy() and/or session_write_close() should unregister URL handler

Submitted:

2004-12-31 16:33 UTC

Modified:

2012-03-29 09:29 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

baafie at planet dot nl

Assigned:

sas (profile)

Status:

Wont fix

Package:

Session related

PHP Version:

4.3.10

OS:

Linux Red hat 9 -2.4.20

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	baafie at planet dot nl
New email:
PHP Version:		OS:

New/Additional Comment:

[2004-12-31 16:33 UTC] baafie at planet dot nl

Description:
------------
According to the php manual, session_start() will register internal output handler for URL rewriting when trans-sid is enabled. Should session_destroy() and/or session_write_close() not unregister this handler?

Reproduce code:
---------------
<?php

ini_set ('session.use_trans_sid','1');
session_start();

echo '<a href="index.php">a page</a>\n';
session_destroy();
echo '<a href="index.php">a page</a>';

?>

Expected result:
----------------
Only the link that was printed before session_destroy() should contain the session ID:

<a href="index.php?PHPSESSID=2382309823823...">a page</a>
<a href="index.php">a page</a>

Actual result:
--------------
Both URLs contain the session ID;

<a href="index.php?PHPSESSID=2382309823823...">a page</a>
<a href="index.php?PHPSESSID=2382309823823...">a page</a>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-01-17 02:38 UTC] destes at ix dot netcom dot com

This is a potential security issue, since I read the manual as describing the behavior this bug expects (whereas the experienced behavior is very different).  The ability to keep session data private (especially SIDs) is very important and I don't think the developers intended trans-sid to extend beyond the use of sessions in a script (i.e., beyond where the session has been destroyed).

On a sidenote, you can avoid having trans-sid append your links by using absolute (rather than relative) URLs.

I recommend that the original submitter changes this back from Bogus, absolutely zero explanation was given as to why this isn't a bug, and I (personally) happen to disagree.

-Steve

[2005-01-17 18:38 UTC] sniper@php.net

Assigning to the author of ext/session who can explain this / change it if he wishes.

[2010-12-20 14:06 UTC] jani@php.net

-Package: Feature/Change Request +Package: Session related

[2012-03-29 09:29 UTC] yohgaki@php.net

We are sorry, but we can not support PHP 4 related problems anymore.

[2012-03-29 09:29 UTC] yohgaki@php.net

-Status: Assigned +Status: Wont fix

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 15:00:01 2025 UTC