PHP :: Bug #48026 :: Session not always restored after redirect

Bug #48026	Session not always restored after redirect
Submitted:	2009-04-20 13:46 UTC	Modified:	2009-04-21 00:42 UTC
From:	scratch65535 at att dot net	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5.2.9	OS:	W2KProSP4
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	scratch65535 at att dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2009-04-20 13:46 UTC] scratch65535 at att dot net

Description:
------------
If localhost/p1.php initiates a session before redirecting to 127.0.0.1/p2.php (or vice versa), the session data will be saved in p1 but not restored in p2; a new session will be started in p2.  

Only if the host references match literally ( both 'localhost' or both '127.0.0.1' ) will the session be restored.

Reproduce code:
---------------
Create 2 files, truncate sessions for a clean start ( I store sessions  in a mysql db, and 'incSessions.inc' are the vanilla routines that support that)

_t1.php:

<?php define('cDocRoot',$_SERVER['DOCUMENT_ROOT'].'/') ;
    require_once( cDocRoot.'Global/incSessions.inc' ) ;
    session_start() ;

    $_SESSION['T1'] = session_id() ;
    header('Location: http://127.0.0.1/_t2.php') ;
    exit() ;
?>    

_t2.php:

<?php define('cDocRoot',$_SERVER['DOCUMENT_ROOT'].'/') ;
    require_once( cDocRoot.'Global/incSessions.inc' ) ;
    session_start() ;

    $_SESSION['T2'] = session_id() ;
    var_dump($_SESSION) ;
    exit() ;
?>

Type into the address line of your browser "127.0.0.1/_t1.php", and note that var_dump shows both 'T1' and 'T2' having been set.  Inspect the sessions storage, note that only one session was created.

Re-truncate sessions, and call _t1 as "localhost/_t1.php".  Note that var_dump now shows only 'T2' having a value, and that inspection of the sessions storage shows 2 sessions rather than 1.

Expected result:
----------------
I expected the session to be restored after the redirect regardless of how localhost was identified.

Actual result:
--------------
See above

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-04-20 15:04 UTC] jani@php.net

Use session_write_close() before redirect..

[2009-04-20 19:23 UTC] scratch65535 at att dot net

Your suggestion doesn't help, Jani.  Calling session_write_close() before the redirect makes no difference in the outcome.  Will you reopen this bug report or do I need to submit a duplicate?

[2009-04-20 21:13 UTC] scottmac@php.net

Cookies are only valid for the domain they set, if you change the domain between 127.0.0.1 and localhost then it makes sense they wont be sent.

[2009-04-20 21:24 UTC] scratch65535 at att dot net

They're the same domain!  That's the whole point of domain naming.  And that particular mapping is so central to PHP's use that it's just crazy to break it that way.

[2009-04-21 00:42 UTC] scottmac@php.net

An IP address is not the same as a domain name. Cookies are limited to the domain that set them, this is just how browsers work and has nothing to do with PHP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Mon May 18 23:00:01 2026 UTC