php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #25057 Session randomly changes session_id
Submitted: 2003-08-12 11:15 UTC Modified: 2003-08-13 11:11 UTC
From: asnagy at syr dot edu Assigned:
Status: Closed Package: Session related
PHP Version: 4.3.2 OS: RH 9 Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: asnagy at syr dot edu
New email:
PHP Version: OS:

 

 [2003-08-12 11:15 UTC] asnagy at syr dot edu 
Description:
------------
Our sessions are handled through a database.  The handler functions are managed via a class that was generated by PEAR::DB_DataObjects

For debug purposes, I print out the session_id on everypage, and the session_id is regenerated randomly after a FEW minutes of nonuse.

The session lengths are set to 1200 seconds (20 minutes)
The session cookie expiration are also set to 20 minutes
I set the GC probability to 100/100 to test that it is being run on every page click.

We have spent numerous hours debugging code and trying to trace it down; but have concluded that the session_id is randomly regenerated due to a bug in PHPs session management.

When the session is regenerated, the old session still exists fully intact in the db, the new session is null.  The cookie still exists.

If you can shed any light as to why this might be happening, I would be extemely excited!

Reproduce code:
---------------
function read($sess_id)
    {
        $session = new Session();
        $session->id = $sess_id;
        if ($session->find(true)) {
            return $session->data;
        } else {
            return NULL;
        }
    }

    function write($sess_id, $data)
    {
        //Clear session
        $session = new Session();
        $session->id = $sess_id;
        if ($session->find()) {
            $session->delete();
        }

        //Create session
        $session = new Session();
        $session->id = $sess_id;
        $session->stamp = 'NOW()';
        $session->data = $data;
        $session->insert();

        return true;
    }

    function destroy($sess_id)
    {
        $session = new Session();
        $session->id = $sess_id;

        return $session->delete();
    }

    function gc($max_lifetime)
    {
        global $db;

        $smarty = new Smarty();

        $id     = '';
        $sql    = "stamp < NOW() - CAST('" . $max_lifetime .
                  " seconds' AS INTERVAL)";

        $result = $db->query("SELECT id FROM session WHERE " . $sql);
        while ($row = $result->fetchRow()) {
            $smarty->clear_cache(null, $row['id']);
            $id .= $row['id'] . ' ';
        }

        $db->query("DELETE FROM session WHERE " .
                   "(data IS NULL OR data NOT LIKE '%username%') OR " . $sql);

        return true;
    }

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-12 11:43 UTC] iliaa@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
 [2003-08-13 10:43 UTC] asnagy at syr dot edu 
Seems to be working great.  What was the bug?
 [2003-08-13 11:11 UTC] iliaa@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Aug 02 09:00:03 2025 UTC