PHP :: Bug #71038 :: session_start() returns TRUE on failure

Bug #71038

session_start() returns TRUE on failure

Submitted:

2015-12-05 15:27 UTC

Modified:

2016-10-16 08:58 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

pfenderd at bellsouth dot net

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Session related

PHP Version:

7.1.0RC3

OS:

Irrelevant

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	pfenderd at bellsouth dot net
New email:
PHP Version:		OS:

New Comment:

[2015-12-05 15:27 UTC] pfenderd at bellsouth dot net

Description:
------------
On a hosting server, the /tmp file system was mounted as read-only.
The function session_start() returned TRUE on failure to open a session file. It should have returned FALSE.
There is a Warning message issued by PHP but it should have been an ERROR message.


Test script:
---------------
session_start();
session_write_close();


Expected result:
----------------
session_start needs to return FALSE on failure to open a session.

Actual result:
--------------
Warning: session_start(): open(/tmp/sess_99c3aa0ceeec362b9de4ece520aeef64, O_RDWR) failed: Read-only file system (30) in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 2

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php:2) in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 2

Warning: session_write_close(): open(/tmp/sess_99c3aa0ceeec362b9de4ece520aeef64, O_RDWR) failed: Read-only file system (30) in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 3

Warning: session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in /homepages/21/d361866886/htdocs/dayspeak_net/testlp.php on line 3

Patches

Pull Requests

Pull requests:

Fix bug #71038 - session_start() returns true even when it failed (php-src/2167)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-12-09 14:53 UTC] laruence@php.net

-Assigned To: +Assigned To: yohgaki

[2015-12-09 14:53 UTC] laruence@php.net

please have a look, it's a little weird s_open doesn't verify the path first..

[2015-12-09 21:51 UTC] yohgaki@php.net

Sure.

[2015-12-10 12:44 UTC] yohgaki@php.net

-Status: Assigned +Status: Analyzed

[2015-12-10 12:44 UTC] yohgaki@php.net

I have to change session internal functions (php_session_flush, php_session_save_current_state, etc) so that they return SUCCESS/FAILURE. These functions are static and may be changed in released versions. I'll modify these for 5.6/7.0. I have to look into save handler code more closely if I can change without compatibility issues. I guess I can since current save handler has stricter rules for return values.

[2015-12-16 01:18 UTC] yohgaki@php.net

Return value of PHPAPI function is needed to be changed to fix this.
The fix will only be applied to next minor version at best. i.e. 7.1 or later.

[2016-01-12 11:48 UTC] yohgaki@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a15e9ccba8a34553c029fb4574edba87c76447e5
Log: Fixed Bug #71038 session_start() returns TRUE on failure

[2016-01-12 11:48 UTC] yohgaki@php.net

-Status: Analyzed +Status: Closed

[2016-01-12 11:50 UTC] yohgaki@php.net

I used PS(session_status) to fix this. 
PHP 5.6 still returns TURE on read failure to keep compatibility for buggy save handlers.
PHP 7.0 and up are treats read error strictly.

[2016-01-14 04:24 UTC] yohgaki@php.net

Related To: Bug #69964

[2016-10-06 08:05 UTC] yohgaki@php.net

-Status: Closed +Status: Re-Opened -Operating System: Linux +Operating System: Irrelevant -PHP Version: 5.6.16 +PHP Version: 7.1.0RC3

[2016-10-06 08:05 UTC] yohgaki@php.net

There is a case still start session and initialize $_SESSION with error. Bug #73245

[2016-10-06 08:07 UTC] yohgaki@php.net

Related To: Bug #73245

[2016-10-16 08:58 UTC] yohgaki@php.net

Sorry for late important bug fix. I was thinking to create a new RFC for this, but I forgot it completely.

This kind of bug fix can only be in minor release. If RM feels to late/large at this point. I don't mind applying this only to master branch.

[2016-11-17 02:09 UTC] yohgaki@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f196e321fa464075248eced7d0d2c046b686b24
Log: Fix bug #71038 - session_start() returns true even when it failed PR #2167

[2016-11-17 02:09 UTC] yohgaki@php.net

-Status: Re-Opened +Status: Closed

[2017-01-12 09:12 UTC] krakjoe@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f196e321fa464075248eced7d0d2c046b686b24
Log: Fix bug #71038 - session_start() returns true even when it failed PR #2167

[2017-09-19 14:43 UTC] requinix@php.net

Related To: Bug #75227

[2018-05-22 09:21 UTC] requinix@php.net

Related To: Bug #76358

[2018-05-22 10:03 UTC] tony at marston-home dot demon dot co dot uk

Related To: Bug #76358

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 01 22:01:29 2025 UTC