php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #40973 session don't work if used $_SERVER in any way
Submitted: 2007-04-01 16:12 UTC Modified: 2007-04-05 10:21 UTC
Votes:2
Avg. Score:3.0 ± 2.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: krassesache at gmx dot net Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.1 OS: WinXP SP2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: krassesache at gmx dot net
New email:
PHP Version: OS:

 

 [2007-04-01 16:12 UTC] krassesache at gmx dot net 
Description:
------------
if i use $_SERVER in any way but with pdo statements [ $stmt->execute(array($_SERVER['REMOTE_ADDR'])) ] a session will not work.

in my example i first open foobar.php and then foobar2.php. if remove the 4th line in foobar2.php [ $var = $_SERVER['REMOTE_ADDR']; ] the the text "bar" appears but with the line, nothing happens. in other case is used preg_match('#MSIE#',$_SERVER['HTTP_USER_AGENT']) with the result that the website will be shown but the session dont work (the original problem).

Reproduce code:
---------------
=> foobar.php
<?php

session_start();
$_SESSION['foo'] = 'bar';

?>

=> foobar2.php
<?php

session_start();
$var = $_SERVER['REMOTE_ADDR'];
echo $_SESSION['foo'];

?>

Expected result:
----------------
bar

Actual result:
--------------
<nothing>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-04-03 18:58 UTC] tony2001@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

Works perfectly fine.
 [2007-04-04 16:01 UTC] krassesache at gmx dot net 
i also used php 5.2 with the same result.
 [2007-04-04 16:04 UTC] tony2001@php.net 
Cannot reproduce.
 [2007-04-04 16:24 UTC] krassesache at gmx dot net 
ich got it!!!

if i set

session.referer_check = 1
session.referer_check = 0

in php.ini, the problem appears
if i set it to

session.referer_check = 

the session will work?!
 [2007-04-04 18:06 UTC] tony2001@php.net 
Works perfectly fine whatever I do and doesn't depend on the value ofsession.referer_check.
 [2007-04-04 18:31 UTC] krassesache at gmx dot net 
okay, dont know why but in my case it's the reason. maybe a very specific problem. never mind...
 [2007-04-04 18:46 UTC] tony2001@php.net 
Please provide some more information on your environment: the webserver used, server API (cgi or module).
Do you have any firewalls that might affect it?
Are you sure the code provided is enough to reproduce it?
 [2007-04-05 00:39 UTC] krassesache at gmx dot net 
okay,
no firewall / windows firewall is off

phpinfo() of my localhost: http://blakkcooper.de/phpinfo.php.html
you see session.referer_check is set to "no value". no matter if i set it to "0" or "1", the sessions don't work. it works only with "no value".

i tested the example again and this happened:

opened http://localhost --> no session established (normal)
opened http://localhost/foobar.php --> new session established
opened http://localhost/foobar2.php --> a NEW SESSION was established (news SESSID)

i tested this with firefox 2.0.0.2, opera 9.02 and session.referer_check = 0
it's nuts! my example works sometimes, sometimes not?! it seems that  it's random... on my website it works NEVER. it's like god will fuck me up -.-
 [2007-04-05 00:56 UTC] scottmac@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

session.referer_check is used to see if a substring is present in the referrer, its not a boolean flag.
 [2007-04-05 10:12 UTC] krassesache at gmx dot net 
i see... it's not a bug, it a feature :D
 [2007-04-05 10:21 UTC] krassesache at gmx dot net 
; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.

session.referer_check --> string

damn it >.< selfowned
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 00:01:35 2025 UTC