php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #14232 Crash of session_start() when client disables cookies and sends a form
Submitted: 2001-11-26 09:47 UTC Modified: 2002-03-06 02:49 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: adnev at podvodnik dot cz Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 4.0.6 OS: Win2000;Win98
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: adnev at podvodnik dot cz
New email:
PHP Version: OS:

 

 [2001-11-26 09:47 UTC] adnev at podvodnik dot cz 
The function session_start() produces an access violation (drWatson reports the fault in strnatcmp_ex). It happens when the client has disabled cookies. The only setting that prevents the crash is session.use_trans_sid=0, but than sessions are not handled for client without cookies allowed.

I've tried a lot of combinations: to pass the PHPSESSID manually in a post/get variable (Input hidden ... =session_id();) but the problem remains the same.

For win98, bothe cgi and module versions do not work, under w2k, Apache cannot load the module version (says "cannot find"), so I don't have any idea if the module version could work.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-06 14:46 UTC] adnev at podvodnik dot cz 
After additional testing, I discovered that the problems comes from the output buffering. If output_buffering=Off, the problem does not persist.
 [2001-12-06 21:21 UTC] yohgaki@php.net 
Do you have zlib.output_compression=On or/and output_handler set? If so, what is your setting?
Do you have ob_end_finish()/ob_end_flush() in your script?

Does this happen with 4.1.0RC5?

http://www.php.net/~zeev/
 [2001-12-11 17:13 UTC] adnev at podvodnik dot cz 
I don't use the zlib library (zlib is not loaded at all). I don't use ob_end_finish() neither ob_end_flush(). I am not able to test 4.1.ORC5 if there is no win2000 binary included in the package.

Anyway I have no special libraries loaded and an almost basic configuration:

...
output_buffering = Off
implicit_flush = Off
allow_call_time_pass_reference = On
...
variables_order = "EGPCS"
register_globals = On
register_argc_argv = On
post_max_size = 8M
gpc_order = "GPC"
magic_quotes_gpc = On
magic_quotes_runtime = Off    
magic_quotes_sybase = Off
...
session.save_handler = files
session.save_path = /tmp
session.use_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.serialize_handler = php
session.gc_probability = 10
session.gc_maxlifetime = 1440
session.referer_check =
session.entropy_length = 0
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 1
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=nothing"
...

So if I sum up the problem: I've tested only:
- the cgi exe on win98 and win2000
- the module version on win2000

If session.use_trans_sid=1 and output_buffering=On then submiting forms (POST and GET methods) make the php.exe crash.

I've tested to swap several settings with NO effect e.g.:
- the EGPCS order
- session autostart
- ...
 [2002-02-03 01:33 UTC] s371117 at student dot uq dot edu dot au 
I have a similar error.

When I try to establish a session using php as an apache module under windows.  The apache server crashes instantly.

David

(my configuration is also the default).
 [2002-02-03 04:18 UTC] yohgaki@php.net 
It should be fixed by my patch. Assigned to me for now.
 [2002-03-06 02:49 UTC] yohgaki@php.net 
This bug has been fixed in CVS.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue May 06 06:01:29 2025 UTC