|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15999 fread() hangs apache when file pointer obtained from a url parameter PHPSESSID
Submitted: 2002-03-11 10:48 UTC Modified: 2002-08-12 01:00 UTC
Avg. Score:5.0 ± 0.0
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:2 (66.7%)
From: didier dot alain at laposte dot net Assigned:
Status: No Feedback Package: Session related
PHP Version: 4.1.0, 4.0.6 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2002-03-11 10:48 UTC] didier dot alain at laposte dot net
$url = "http://test/block.html?PHPSESSID=".session_id();
$fp = fopen($url, 'r');  // the file pointer semms to be valid
$file = fread($fp,1048576); //hangs here !
echo $file;

hangs apache (1.3.x). Same with 4.0.2, 4.0.6 Linux (RH 6.2 and Debian 2.2), never on Win98. Other parameters don't have the same effect.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-03-11 11:17 UTC]
You're calling the same script with that fopen() ?
The behaviour is called 'infinite recursion' and yes,
it will hang. 

Not a bug.


 [2002-03-11 12:38 UTC] didier dot alain at laposte dot net
Why do you think that block.html is the same script ? Maybe my example is not very clear. But you are right, Apache behavior looks like infinite recursion. Let me explain again and more precisly :
the script A (the one in the previous post) tries to open the url B ($url). Script C is auto_prepended (at fread instruction, right ?) and validate the access to the script B, with the session variable. If I don't use the PHPSESSID in the url parameter (and skip the test in the script C), the script is OK. If I use another parameter than PHPSESSID, the script A is OK. Same behavior with fgets, readfile, etc... Note that the script C is auto_prepended only in a subdirectory (containing only docs like B) by apache configuration (<Directory ...> php_value ....</Directory>) and of course scripts A and C are not on this directory.
 [2002-03-11 13:28 UTC]
Ok..let's reopen this. I have no idea what you're doing
but if you're not doing what I thought you were, it might
be a bug..although that auto_prepend thing makes me wonder..

Please add some example scripts and what needs to be set
in php.ini / httpd.conf to reproduce this.

 [2002-03-19 05:03 UTC]
What is the name of the script you have pasted?
What is the content of block.html?

It seems you are not calling the same script, but
if block.html is calling the script pasted, it's
the same.

 [2002-06-01 11:51 UTC] didier dot alain at laposte dot net
Sorry for the long time...

Here's a complete but simple example :

In httpd.conf
<Directory "/var/www/docs/">
  php_value auto_prepend_file "block.php"

(block.php is in my php.ini include_path, and /var/www is my Apache DocumentRoot)

open_doc.php   (<--I call this one with my browser)
  $s_util = toto";
  echo "Session Id :".session_id(); //just to be sure...
  $doc = "http://http://myserver/docs/mydoc.html?PHPSESSID=".session_id();
  readfile($doc); //same with $fp=fopen($doc, "r");

  echo "Session Id :".session_id(); //just to be sure...
  if (session_is_registered("s_util"))
     echo "Right, man !";
     echo "No auth!";

I can't see any infinite loop here, but I may be wrong... Whenever you don't pass the session param in the url anymore,   there's "no problem" anymore, except you can't retrieve session values !
 [2002-06-01 11:56 UTC] didier dot alain at laposte dot net
It was a type mismatch, of course, sorry.
 [2002-07-11 00:40 UTC]
Your scripts will never work since the session data
will be available AFTER the script is run.

What are you trying to achieve? Can't you just use include()
as the files are on same machine???

 [2002-08-12 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2004-05-08 02:12 UTC] jcgonz at innox dot com dot mx
I have exactly the same problem. I try to send PHPSESSID=session_id() and apache hangs up; when I change PHPSESSID from the url string, it works perfectly (Obviously this doesn't work because I need to know in the target script what session are we talking about).

Does anyone has a solution for this? Thanks in advance!
 [2008-02-06 10:21 UTC] juergen dot link at freenet dot de
I came across the same issue - the answer is pretty simple.
PHP does not support parallel requests with the same session id, i.e. the session ids serves as mutex for the requests.
Thus, triggering a http request to a session <X> from within another request to this very session will lead to a timeout for this request. After the first request is finished, the second one will come to a happy end, too. You may observe this in your web server's log.
 [2008-07-09 10:17 UTC] ghazban at gmail dot com
The mentioned problem is probably caused because PHP opens the session file in a exclusive, which denies other threads to open the same file.

// Starts session and opens session file in exclusive mode

// And here is the important thing. You need to close the session file, before calling in second thread, which will access the same session file.

// read http page into string
$html = implode("", file("http://localhost/backend.php?".session_name()."=".session_id()."&SESSION_NAME=".session_name());

// Start again the session
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 15 23:01:30 2024 UTC