php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #12218 relative URL incorrect when a "session id" is appended to URL
Submitted: 2001-07-17 19:41 UTC Modified: 2001-12-05 10:10 UTC
From: ddawson at execpc dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.0.6 OS: RedHat Linux 6.2 (2.2.12 kernel)
Private report: No CVE-ID: None
 [2001-07-17 19:41 UTC] ddawson at execpc dot com
Hi,
I'm not sure if this is a PHP problem, an Apache problem, or a browser problem.

Versions:
PHP 4.0.6, configured with:
./configure --with-apache=../apache_1.3.20 \
--with-mysql=/usr/local/mysql \
--enable-track-vars \
--enable-session

Apache 1.3.20, configured with:
./configure "--with-layout=Apache" \
"--prefix=/etc/httpd" \
"--activate-module=src/modules/php4/libphp4.a" \
"--enable-suexec" \
"--suexec-caller=http" \
"--suexec-docroot=/home/baseweb" \
"--suexec-logfile=/var/log/httpd/suexec_log" \
"--suexec-safepath=/bin:/usr/bin" \
"$@"

Browsers checked, all act consistently for this problem:
Konqueror 2.1.1
    on platform Linux Mandrake 8 (2.4.3-20mdk kernel), with KDE 2.1.1
Netscape Communicator 4.73
    on platform Windows NT 4.0 SP5
Internet Explorer 5.01 SP1
    on platform Windows NT 4.0 SP5

URL to the server's phpinfo() page:
http://mail17.domainhost.com/session_test/phpinfo.html

Short summary:
I have been having trouble with session management functions
all day, so I am going to store my session stuff in a database
instead of burning time and brain cells debugging this.  (So there
are no session_ function calls at all.)     I ended up implementing
an idea from here:
http://www.easysoft.com/tech/php/tut_001/main.phtml

I am creating a 32-bit "session id" the standard way I've seen everywhere,
$session_id = md5(uniqid(rand()));

I chose to try an example of "hiding" the session id on the end of the URL,
as described in a New Riders book "Web Application Development with PHP 4.0"
by Tobias Ratschiller and Till Gerken.
(so that the URL is of the form:
http://mail17.domainhost.com/session_test/main.html/f02c5b6038a7f9681fa671e84f33e9bc)

When I use relative URLs for pages and images, and there is a session id
at the end of the URL, all browsers that I've encountered produce "broken" links
of this form:
http://mail17.domainhost.com/session_test/main.html/mail.html/f02c5b6038a7f9681fa671e84f33e9bc
instead of the expected
http://mail17.domainhost.com/session_test/mail.html/f02c5b6038a7f9681fa671e84f33e9bc

To get this sample application functional, I had to prepend '../'
to my relative URLs, for both hypertext links, and img src path
Why?  The files are all in the same directory, so I think I've found
a bug (and it's workaround).

The reason I am not sure if the error is on the browser side or the
server side is:  When I view the page source, it appears as expected,
not with the "broken" link/image paths.

The "flow" through this sample application is:
Start ->
index.html (login form, enter any login id, any password) ->
login.html (authenticates, creates $session_id, then redirects in auth.inc) ->
main.html/$session_id    ->
mail.html/$session_id (when you click on first link)
        OR
billing.html/$session_id (when you click on second link)
        OR
web.html/$session_id (when you click on third link)
        OR
logout.html/$session_id (when you click on the last link) ->  Start

URL to functional sample application:
http://mail17.domainhost.com/session_test/index.html

URL to functional sample application PHP source:
http://mail17.domainhost.com/session_test_src/index.html


URL to broken sample application:
http://mail17.domainhost.com/bad_session_test/index.html

URL to broken sample application PHP source:
http://mail17.domainhost.com/bad_session_test_src/index.html

Differences are isolated to these files:
del-session.inc (redirect to index.html)
session.inc (redirect to index.html)
header.inc  (image path)
main.html   (hypertext links to mail, billing, web, logout pages)

Thanks for your hard work on PHP 4!  It is really great,
and I want to make it better!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-05 10:10 UTC] sander@php.net
This is really not a bug in PHP.
If you append it using a slash (/), then main.html will be considered a directory. If you point your browser to somewhere.html, it uses /main.html as the current dir, and appends /somewhere.html -> /main.html/somewhere.html
This is not a bug in PHP or in a browser, but in the way you use you manage your self-made session-ids.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Apr 19 13:01:26 2019 UTC