PHP :: Bug #42367 :: Keeping track of session ID fails due to referer

Bug #42367	Keeping track of session ID fails due to referer_check when referer is sent
Submitted:	2007-08-21 22:04 UTC	Modified:	2007-08-22 09:05 UTC
From:	g dot schuster at laxit dot com	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5.2.3	OS:	Windows XP Pro SP2
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	g dot schuster at laxit dot com
New email:
PHP Version:		OS:

New Comment:

[2007-08-21 22:04 UTC] g dot schuster at laxit dot com

Description:
------------
Keeping track of the session ID fails due to refere_check when a link is clicked even if session.refere_check is disabled in the global AND in the local config.
phpinfo() correctly states session.referer_check=0 for both global and local config.

If you add the URL parameters (NOT the session id parameters!) to the URL and hit "Enter" everything works fine because, in my case, FireFox doesn't send a referer.

Problem can be solved if ini_set('session.referer_check', FALSE); is set in the script.

Reproduce code:
---------------
http://www.laxit.com/tmp_files/phpbug/session_bug.html
http://www.laxit.com/tmp_files/phpbug/phpinfo.html

Expected result:
----------------
Session keeps state and doesn't check for referer if session.referer_check=0

Actual result:
--------------
session_id($_REQUEST[session_name()]);
session_start();

creates a new session because it doesn't respect the session.refere_check=0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-08-21 23:10 UTC] g dot schuster at laxit dot com

>when a link is clicked
should mean "when a referer is sent"

Sorry for that mistake, been awake for too long.

[2007-08-22 09:05 UTC] jani@php.net

You should sometimes read what is said in the php.ini-dist about the options. This has always been like this:

; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =

This is NOT some option you turn off/on. To "turn it off" you simply don't a) set it in php.ini or b) set it with empty value.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 22 07:00:03 2025 UTC