php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44080 Session misbehaviour with Mozilla browsers
Submitted: 2008-02-09 02:43 UTC Modified: 2008-02-26 01:00 UTC
Votes:6
Avg. Score:4.7 ± 0.7
Reproduced:5 of 6 (83.3%)
Same Version:5 (100.0%)
Same OS:4 (80.0%)
From: k dot mcmanus at gre dot ac dot uk Assigned:
Status: No Feedback Package: Session related
PHP Version: 5.2.5 OS: Solaris and Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: k dot mcmanus at gre dot ac dot uk
New email:
PHP Version: OS:

 

 [2008-02-09 02:43 UTC] k dot mcmanus at gre dot ac dot uk
Description:
------------
I have EXACTLY the same files on 2 different Apache (Solaris) servers and an IIS server.

The example works correctly with IE5.5, 6 and 7 and Opera 9 clients but with Firefox (2.0.0.12 or 2.0.0.11) or Mozilla (1.7.10) clients. Yes, cookies are on in the clients and I have tried restarting the clients and tried several client machines.

Please feel free to try the examples...
PHP 4.3.10 on Apache
http://staffweb.cms.gre.ac.uk/~mk05/session/index.php
PHP5.0.5 on Apache
http://stuweb.cms.gre.ac.uk/~mk05/session/index.php
PHP5.2.3 on IIS
http://cms-stu-iis.gre.ac.uk/mk05/session/index.php

When you reach activate.php $_SESSION has remembered literals but has forgotten variable values.

I am at a loss to explain why it refuses to work in Moz clients.
I am am even more confused at to why commenting out the line
<link href="" rel="stylesheet" type="text/css"/>
in register.php fixes the problem.

I am not at all clear as to whether the problem lies with Mozilla or PHP. The fact that it affects such a range of versions of both PHP and Mozilla is also mystifying. I cannot imaging what possible mechanism could cause this effect.



Reproduce code:
---------------
http://staffweb.cms.gre.ac.uk/~mk05/session/index.php.txt
http://staffweb.cms.gre.ac.uk/~mk05/session/register.php.txt
http://staffweb.cms.gre.ac.uk/~mk05/session/activate.php.txt
These are links not copies so you see exactly the same source.

Expected result:
----------------
3 stage process
index.php -> register.php -> activate.php
(you don't need to fill in the forms, just press the buttons)

form input from index.php is posted to register.php

in register.php the POST data is copied into $_SESSION together with a string literal

in activate.php the session values are printed



Actual result:
--------------
in activate.php the session has lost the values of the variables but not the value of the literal - only with Mozilla/Firefox browsers


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-02-13 17:51 UTC] svenne at krap dot dk
for me the bug creeps up in old, stable code that suddently doesn't work any more. 

as original poster said, IE works fine, FF does not. The bug is also not present in konqueror (kde browser)  nor epiphany (gnome browser)

As OP said, strings entered to the session object (in my case indirectly  via some custom classes) are kept, values from database seems kept, values from queries (GET/POST) are dropped. 

My server runs Linux (Gentoo, mostly stable)
 [2008-02-13 18:02 UTC] jani@php.net
You're not using PHP 5.2.5 in any place? I'd suggest upgrading first. And then check what your session.* settings are in your php.ini file. (or rather from the phpinfo(); output)
 [2008-02-15 04:28 UTC] k dot mcmanus at gre dot ac dot uk
Since posting my ever helpful sysops have moved 
http://cms-stu-iis.gre.ac.uk/mk05/session/index.php
to PHP 5.2.5 and I have recently installed 5.2.5 onto Apache 2.2.8
The bug still manifests.

I am not sure why jani asks for session settings as the sessions work correctly in all browsers other than Moz and work but incorrectly in all Moz browsers, but if it helps these can be found at
http://staffweb.cms.gre.ac.uk/~mk05/info.php
http://stuweb.cms.gre.ac.uk/~mk05/info.php
http://cms-stu-iis.gre.ac.uk/mk05/info.php

I am slightly puzzled as to how this bug has lived so long as it is causing dreadful problems for my poor students.

As to the underlying mechanism... 
I think, but don't know, and I am not terribly confident but...

Perhaps Moz clients send an HTTP GET request for register.php when they encounter the empty href attribute in the <link> element. This would overwrite the SESSION entries causing them to lose their value, which is what we see. Although if this is happening then why do we not see Undefined index warnings raised by the POST variables not existing (which is what you see if you GET register.php).
 [2008-02-15 13:41 UTC] jani@php.net
Ah yes..that empty link definately will cause problems.
I guess Mozilla based browsers are more strict in this, IE is known to allow pretty much any crap. :)

I tested your page using FF and having Firebug installed, and it does 2 requests for index.php. For example this bug page only shows 1 request.

This is not really any PHP bug just how decent browsers behave. You shouldn't have empty links like that around anyway.
 [2008-02-15 14:25 UTC] jani@php.net
See also bug #10599 and bug #33705
 [2008-02-15 14:45 UTC] k dot mcmanus at gre dot ac dot uk
Yes, in an ideal world pages should not have empty <link> elements. But in my less than ideal world I have students using XHML templates with empty <link> placeholders. Not surprisingly I have some pretty confused students who I am having difficulty keeping away from IE.

I can understand how an empty href attribute may cause a user agent to make an HTTP request for the file path with no file name and the server returning whatever is the default file, usually index.php or index.html.
But Moz interprets the empty href attribute value as being the filename, which isn't really all that sensible.
And... surely the browser should be sensible enough to realise that the HTTP response isn't text/css.

Before I pass this over to the good people at Moz there remains an unresolved PHP problem...

If this effect is caused by Moz sending a GET request for register.php we should see warnings.
This is a simple enough experiment.  Instead of refreshing register.php (in which case the browser will want to resend the POST data), click in the browser address bar and hit Enter to force it to GET register.php - hey presto - warnings.
 [2008-02-18 09:34 UTC] jani@php.net
Put this line in the register.php:

var_dump($_POST);

According to Firebug, it doesn't send anything. Why it doesn't cause a notice I don't understand..maybe it does but for some reason it isn't outputted. You should check what is in the Apache logs. And maybe make PHP to put all errors in a separate file.
 [2008-02-26 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 03:01:28 2024 UTC