php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #18855 PHPSESSID, The Session Key is chagned in same page
Submitted: 2002-08-11 08:30 UTC Modified: 2014-08-09 20:05 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: number3 at windogs dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 4.2.2 OS: Linux 2.4.18
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: number3 at windogs dot com
New email:
PHP Version: OS:

Further comment on this bug is unnecessary.

 

 [2002-08-11 08:30 UTC] number3 at windogs dot com 
Hi,

i have used the php session with pgsql handler, for user authencation.
but I find that the php session key, PHPSESSID is changed same page. that sistuation is not always, but a few time.


my debug code below.
--------------------------------------------
session_register("userinfo");
$q_update = "UPDATE session SET userid = '".$userinfo->id."' WHERE sesskey = '".$PHPSESSID."'";
pg_exec($conn, $q_update);
--------------------------------------------

the register value "userinfo" is class var.
in debug result, the empty PHPSESSID value, not null value value is recorded.
and Session key is threr changed.
1. orginal sesskey
2. empty sesskey
3. new sesskey

That result in no login because sesskey is changed.

why that cause ?

addition, why be The PHPSESSID empty value ?
that is not normal. that situtaion result in session share.
1. user A -> login with sesskey1(sucess)
2. user B -> login with sesskey2(sucess)
3. user A -> logout and new sesskey in empty value
4. user B -> logout and new sesskey in empty value
5. so A and B share same sesskey.
After that sistuation,
6. user A login sucessful, and 
user B load other page, that user B have user A's session value, so user A and B share session with empty sesskey.

That is prevented from php session lib that empty value of sesskey no permitted.

thanks for advanced.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-13 21:50 UTC] kalowsky@php.net 
I'm not sure I understand this bug completely, so bare with me.  From what I gather, your code writes a new userid based upon the userinfo->id, where the PHPSESSID is.  From your example though I don't see how this could be possible as the $PHPSESSID won't change during the execution of the page.  

But in any case, can you please provide a short sample script to reproduce this?  It would help.
 [2002-09-19 13:24 UTC] kalowsky@php.net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 [2014-08-09 20:05 UTC] rasmus@php.net
-Block user comment: No +Block user comment: Yes
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 16:00:01 2025 UTC