php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #16579 Using session_destroy() after start of output can mangle output
Submitted: 2002-04-12 19:00 UTC Modified: 2002-04-12 19:46 UTC
From: bentley at mindspring dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4.1.2 OS: SunOS
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2002-04-12 19:00 UTC] bentley at mindspring dot com 
Using session_destroy() in a page that has a link which is automatically modified to include the PHPSESSID then the output is mangled.  Here is the shortest example I could come up with that demonstrates what happens clearly.

With everything I've tried so far session_destroy() is the only thing that causes this bad behavior.

Here is the PHP source file:

	<?php
		session_start();
	?>
	<html>
	<head>
	</head>
	<body>
		<a href="/test-3.php">Finish test</a>
		<?php
			echo '-before';
			session_destroy();
			echo '=after';
		?>
	</body>
	</html>


This is the output if my browser has cookies enabled:

	<html>
	<head>
	</head>
	<body>
		<a href="/test-3.php">Finish test</a>
		-before=after</body>
	</html>


This is the output is my browser has cookies disabled:

	<html>
	<head>
	</head>
	<body>
		<a href="/test-3.php?PHPSESSID=9e902efea2402095d2cba275b603816f">Finish 	test</=after</body>
	</html>
	a>
		-before


This happens even if the link is after the session_destroy() and no PHPSESSID is automatically inserted.

Changing the source to this:

	<?php
		session_start();
	?>

	<html>
	<head>
	</head>
	<body>
		I'm done
		<?php
			echo '-before';
			session_destroy();
			echo '=after';
		?>
		<a href="/test-3.php">Finish test</a>
	</body>
	</html>


Results in this if cookies are disabled:

	<html>
	<head>
	</head>
	<body=after	<a href="/test-3.php">Finish test</a>
	</body>
	</html>
	>
		I'm done
		-before


It appears from all of my testing that I must have the session_destroy() before anything is output to the browser.  I think that this should be documented and fixed.

Configuration is:

'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-mysql=/usr/local/mysql' '--with-msql=/usr/local/Hughes' '--enable-track-vars' '--enable-memory-limit' '--enable- sysvshm' '--enable-trans-sid' '--with-gd=/usr/local' '--with-ttf=/usr/local' '--with-jpeg- dir=/usr/local' '--with-zlib-dir=shared' '--with-gdbm=/usr/local' '--with-db3=/usr/local/ BerkeleyDB.3.1' '--with-xml' '--enable-ftp'

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-04-12 19:13 UTC] sniper@php.net 
I just tested with PHP 4.2.0RC3 and it works just fine.
Please test it: http://www.php.net/~derick/

(and note that as you destroy the session in the same request, the session id won't be added to the url which
is the correct behaviour)
 [2002-04-12 19:46 UTC] bentley at mindspring dot com 
I'm not in control of the server.  So, I can't test it with RC3.  I'll have to take your word for it for now.

Thank you for the quick response.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 07:01:27 2024 UTC