php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #16579 Using session_destroy() after start of output can mangle output
Submitted: 2002-04-12 19:00 UTC Modified: 2002-04-12 19:46 UTC
From: bentley at mindspring dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4.1.2 OS: SunOS
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bentley at mindspring dot com
New email:
PHP Version: OS:

 

 [2002-04-12 19:00 UTC] bentley at mindspring dot com 
Using session_destroy() in a page that has a link which is automatically modified to include the PHPSESSID then the output is mangled.  Here is the shortest example I could come up with that demonstrates what happens clearly.

With everything I've tried so far session_destroy() is the only thing that causes this bad behavior.

Here is the PHP source file:

	<?php
		session_start();
	?>
	<html>
	<head>
	</head>
	<body>
		<a href="/test-3.php">Finish test</a>
		<?php
			echo '-before';
			session_destroy();
			echo '=after';
		?>
	</body>
	</html>


This is the output if my browser has cookies enabled:

	<html>
	<head>
	</head>
	<body>
		<a href="/test-3.php">Finish test</a>
		-before=after</body>
	</html>


This is the output is my browser has cookies disabled:

	<html>
	<head>
	</head>
	<body>
		<a href="/test-3.php?PHPSESSID=9e902efea2402095d2cba275b603816f">Finish 	test</=after</body>
	</html>
	a>
		-before


This happens even if the link is after the session_destroy() and no PHPSESSID is automatically inserted.

Changing the source to this:

	<?php
		session_start();
	?>

	<html>
	<head>
	</head>
	<body>
		I'm done
		<?php
			echo '-before';
			session_destroy();
			echo '=after';
		?>
		<a href="/test-3.php">Finish test</a>
	</body>
	</html>


Results in this if cookies are disabled:

	<html>
	<head>
	</head>
	<body=after	<a href="/test-3.php">Finish test</a>
	</body>
	</html>
	>
		I'm done
		-before


It appears from all of my testing that I must have the session_destroy() before anything is output to the browser.  I think that this should be documented and fixed.

Configuration is:

'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-msql=/usr/local/Hughes' '--enable-track-vars' '--enable-memory-limit' '--enable- sysvshm' '--enable-trans-sid' '--with-gd=/usr/local' '--with-ttf=/usr/local' '--with-jpeg- dir=/usr/local' '--with-zlib-dir=shared' '--with-gdbm=/usr/local' '--with-db3=/usr/local/ BerkeleyDB.3.1' '--with-xml' '--enable-ftp'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-04-12 19:13 UTC] sniper@php.net 
I just tested with PHP 4.2.0RC3 and it works just fine.
Please test it: http://www.php.net/~derick/

(and note that as you destroy the session in the same request, the session id won't be added to the url which
is the correct behaviour)
 [2002-04-12 19:46 UTC] bentley at mindspring dot com 
I'm not in control of the server.  So, I can't test it with RC3.  I'll have to take your word for it for now.

Thank you for the quick response.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jul 13 21:01:33 2025 UTC