|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #12218 relative URL incorrect when a "session id" is appended to URL
Submitted: 2001-07-17 19:41 UTC Modified: 2001-12-05 10:10 UTC
From: ddawson at execpc dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.0.6 OS: RedHat Linux 6.2 (2.2.12 kernel)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
40 - 2 = ?
Subscribe to this entry?

 [2001-07-17 19:41 UTC] ddawson at execpc dot com
I'm not sure if this is a PHP problem, an Apache problem, or a browser problem.

PHP 4.0.6, configured with:
./configure --with-apache=../apache_1.3.20 \
--with-mysql=/usr/local/mysql \
--enable-track-vars \

Apache 1.3.20, configured with:
./configure "--with-layout=Apache" \
"--prefix=/etc/httpd" \
"--activate-module=src/modules/php4/libphp4.a" \
"--enable-suexec" \
"--suexec-caller=http" \
"--suexec-docroot=/home/baseweb" \
"--suexec-logfile=/var/log/httpd/suexec_log" \
"--suexec-safepath=/bin:/usr/bin" \

Browsers checked, all act consistently for this problem:
Konqueror 2.1.1
    on platform Linux Mandrake 8 (2.4.3-20mdk kernel), with KDE 2.1.1
Netscape Communicator 4.73
    on platform Windows NT 4.0 SP5
Internet Explorer 5.01 SP1
    on platform Windows NT 4.0 SP5

URL to the server's phpinfo() page:

Short summary:
I have been having trouble with session management functions
all day, so I am going to store my session stuff in a database
instead of burning time and brain cells debugging this.  (So there
are no session_ function calls at all.)     I ended up implementing
an idea from here:

I am creating a 32-bit "session id" the standard way I've seen everywhere,
$session_id = md5(uniqid(rand()));

I chose to try an example of "hiding" the session id on the end of the URL,
as described in a New Riders book "Web Application Development with PHP 4.0"
by Tobias Ratschiller and Till Gerken.
(so that the URL is of the form:

When I use relative URLs for pages and images, and there is a session id
at the end of the URL, all browsers that I've encountered produce "broken" links
of this form:
instead of the expected

To get this sample application functional, I had to prepend '../'
to my relative URLs, for both hypertext links, and img src path
Why?  The files are all in the same directory, so I think I've found
a bug (and it's workaround).

The reason I am not sure if the error is on the browser side or the
server side is:  When I view the page source, it appears as expected,
not with the "broken" link/image paths.

The "flow" through this sample application is:
Start ->
index.html (login form, enter any login id, any password) ->
login.html (authenticates, creates $session_id, then redirects in ->
main.html/$session_id    ->
mail.html/$session_id (when you click on first link)
billing.html/$session_id (when you click on second link)
web.html/$session_id (when you click on third link)
logout.html/$session_id (when you click on the last link) ->  Start

URL to functional sample application:

URL to functional sample application PHP source:

URL to broken sample application:

URL to broken sample application PHP source:

Differences are isolated to these files: (redirect to index.html) (redirect to index.html)  (image path)
main.html   (hypertext links to mail, billing, web, logout pages)

Thanks for your hard work on PHP 4!  It is really great,
and I want to make it better!


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-05 10:10 UTC]
This is really not a bug in PHP.
If you append it using a slash (/), then main.html will be considered a directory. If you point your browser to somewhere.html, it uses /main.html as the current dir, and appends /somewhere.html -> /main.html/somewhere.html
This is not a bug in PHP or in a browser, but in the way you use you manage your self-made session-ids.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Jul 13 05:01:26 2020 UTC