php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #31369 session_destroy() and/or session_write_close() should unregister URL handler
Submitted: 2004-12-31 16:33 UTC Modified: 2012-03-29 09:29 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: baafie at planet dot nl Assigned: sas (profile)
Status: Wont fix Package: Session related
PHP Version: 4.3.10 OS: Linux Red hat 9 -2.4.20
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: baafie at planet dot nl
New email:
PHP Version: OS:

 

 [2004-12-31 16:33 UTC] baafie at planet dot nl 
Description:
------------
According to the php manual, session_start() will register internal output handler for URL rewriting when trans-sid is enabled. Should session_destroy() and/or session_write_close() not unregister this handler?

Reproduce code:
---------------
<?php

ini_set ('session.use_trans_sid','1');
session_start();

echo '<a href="index.php">a page</a>\n';
session_destroy();
echo '<a href="index.php">a page</a>';

?>

Expected result:
----------------
Only the link that was printed before session_destroy() should contain the session ID:

<a href="index.php?PHPSESSID=2382309823823...">a page</a>
<a href="index.php">a page</a>

Actual result:
--------------
Both URLs contain the session ID;

<a href="index.php?PHPSESSID=2382309823823...">a page</a>
<a href="index.php?PHPSESSID=2382309823823...">a page</a>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-17 02:38 UTC] destes at ix dot netcom dot com 
This is a potential security issue, since I read the manual as describing the behavior this bug expects (whereas the experienced behavior is very different).  The ability to keep session data private (especially SIDs) is very important and I don't think the developers intended trans-sid to extend beyond the use of sessions in a script (i.e., beyond where the session has been destroyed).

On a sidenote, you can avoid having trans-sid append your links by using absolute (rather than relative) URLs.

I recommend that the original submitter changes this back from Bogus, absolutely zero explanation was given as to why this isn't a bug, and I (personally) happen to disagree.

-Steve
 [2005-01-17 18:38 UTC] sniper@php.net 
Assigning to the author of ext/session who can explain this / change it if he wishes.
 [2010-12-20 14:06 UTC] jani@php.net
-Package: Feature/Change Request +Package: Session related
 [2012-03-29 09:29 UTC] yohgaki@php.net 
We are sorry, but we can not support PHP 4 related problems anymore.
 [2012-03-29 09:29 UTC] yohgaki@php.net
-Status: Assigned +Status: Wont fix
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 15:01:27 2025 UTC