PHP :: Bug #17106 :: Session variable disappears

Bug #17106

Session variable disappears

Submitted:

2002-05-08 19:00 UTC

Modified:

2002-06-15 01:00 UTC

Votes:	6
Avg. Score:	5.0 ± 0.0
Reproduced:	6 of 6 (100.0%)
Same Version:	2 (33.3%)
Same OS:	0 (0.0%)

From:

Lee dot Seldon at infotech dot monash dot edu dot au

Assigned:

Status:

No Feedback

Package:

Session related

PHP Version:

4.1.2

OS:

Win98, Win2000 Pro

Private report:

CVE-ID:

None

View Developer Edit

[2002-05-08 19:00 UTC] Lee dot Seldon at infotech dot monash dot edu dot au

Following is a login script which sets a session variable $userSN. First time it is run, it prompts for username and password, then sets the $userSN and displays "Welcome...". Second time it is run within a session, it checks isset($userSN) and displays "You are already logged in"
Performance:
Win98, Apache1.3.22, Netscape 4.75, php4.1.0 - first time - prompts as expected and displays "Welcome..", second time - displays "already logged in" as expected
Win98, Apache1.3.22, Netscape 4.75, php4.1.2 - first time - prompts as expected and displays "Welcome..", second time - prompts for name and password again, so $userSN has NOT been set or has disappeared. (Note: same behavior with Win2000 Pro, Apache1.3.22, Netscape 4.75, php4.1.0)
Win98, Apache1.3.22, Netscape 4.75, php4.2.0 - first time - prompts as expected, but on "submit" returns immediately to the prompt again.
PHP session parameters in php.ini are the default options.
Previous bug report 15867 - was claimed to have been fixed.

<?
//  sets global $userSN
//  $OnLine = true by default

//////////////////////////////////////////////////////////////////////
//Note: 
// ensure no headers are called!
    
    include("./HealthWebConfig.php");
    include("./CommonFunction.php");
	
	session_start(); // starting session
	// session variables must be global
	global $userSN;
	// registering session variables
	session_register("userSN");
	
// test if user is loged-in
?>
	<html>
	<head>
	<script language="JavaScript">
	<!-- Begin validation script
	function validate_form()
	{
		if(document.loginForm.form_username.value == "")
		{
			alert('\nPlease enter a user name.');
			document.loginForm.form_username.select();
			document.loginForm.form_username.focus();
			return false;
		}
		if(document.loginForm.form_password.value == "")
		{
			alert('\nPlease enter a password.');
			document.loginForm.form_password.select();
			document.loginForm.form_password.focus();
			return false;
		}
		return true;		
	}
	// End of validation script -->
	</script>
	</head>
	<link rel=stylesheet type='text/css' href='style/display.css'>
	<body bgcolor="#FFFFFF">
<?
if(isset($userSN))
{
	printf("<H1>You have already logged in for this session.</H1><br>\n");
	printf("<center>To logout click <a href=\"logout.php\">here.</a></center>");
	printf("</body></html>");
	exit;
}

//Check Password IF $userSN is NOT SET AND either clicked Submit or are off-line
if ($submit || ($OnLine == false))  {

	$conn     = odbc_connect( DB_PROVIDER_NAME, DB_PROVIDER_USERNAME, DB_PROVIDER_PASSWORD, DB_PROVIDER_CURSORTYPE);

	// OFFLINE VERSION uses $DefaultPassword or $DefaultUserSN	
	if ($OnLine == false)  {
		$query    = "SELECT ProviderSN, ProviderName, UserName, Password, RefereeStat
					 FROM	Provider 
					 WHERE	ProviderSN = $DefaultUserSN;";
	} //End of OnLine = False
	else  {
		$form_password = md5($form_password);
		$query    = "SELECT ProviderSN, ProviderName, UserName, Password, RefereeStat
					 FROM	Provider 
					 WHERE	UserName = '" . cleanString($form_username) . "' 
					 AND	Password = '" . cleanString($form_password) . "';";
	} // end if online					
				
	$result   = odbc_exec($conn, $query);
	
	if(odbc_fetch_row($result, 1))  {
		$realUserSN 	= odbc_result($result, 1);
		$providerName	= odbc_result($result, 2);
		$userName		= odbc_result($result, 3);
		$realPassword	= odbc_result($result, 4);
		$refereeStat	= odbc_result($result, 5);

		$userSN = $realUserSN;

		odbc_free_result($result);
		odbc_close($conn);
		
		if (isset($userSN))  {
			printf("<FONT size=5><b>Welcome to Provider Login</b></FONT><br>");
			printf("<FONT size=3>%s</FONT><br>\n",  $providerName);
			printf("<b><i>You are logged on from :</i></b> %s <br><br>\n", $REMOTE_ADDR);
		}
		else printf("<FONT size=5><b>ERROR setting session cookie</b></FONT><br>");

		printf("</body></html>");
		exit;
	}
	else  { //didn't find the given password
		$notFound = true;
	}

	odbc_free_result($result);
	odbc_close($conn);

}  //END of SUBMIT or ONLINE=false
?>

<div align="center">
  <table border="0" width="100%">
    <tr> 
      <td bgcolor="E6E6E6" width="70%"> 
        <H1 align="center">Agency Login Page</H1>
        <H5 align="center">Please note that cookies must be turned on in your 
          browser to keep track of your agency. <br>
          Please contact the Mornington Div. of GP - 9769 6133 - for your password.</H5>
      </td>
    </tr>
  </table>

<? if($notFound) { ?>
  <H2><font color="#FF0000">Login Failed</font>. Please go try again. Remember 
    that the password is case-sensitive.</H2>
<? } ?>
</div>
<form method="post" name="loginForm" action="providerlogin.php"  onSubmit="return validate_form()">
  <div align="center">
    <table width="400" align="center" border="0" cellpadding="3" cellspacing="0" bgcolor="#FF0000">
      <tr> 
        <td colspan="2" align="left">
          <center>
            <strong><font face="verdana" color="#FFFFFF" size="-1">Please enter 
            Username &amp; Password</font></strong>
          </center>
        </td>
      </tr>
    </table>
    <table width="400" border="0" cellspacing="0" bgcolor="#E6E6E6">
      <tr> 
        <td align="right"><br>
          <font face="arial" size="2"><b>Username:</b></font></td>
        <td><br>
          <input NAME="form_username" value="" maxlength="12">
        </td>
      </tr>
      <tr> 
        <td align="right"><font face="arial" size="2"><br>
          <b>Password:</b></font></td>
        <td><br>
          <input NAME="form_password" type="password" maxlength="12">
        </td>
      </tr>
      <tr> 
        <td colspan=2>&nbsp;</td>
      </tr>
    </table>
    <table width="400" align="center" border="0" cellpadding="3" cellspacing="0" bgcolor="#FF0000">
      <tr> 
        <td colspan="2" align="right"> 
          <input type="submit" name="submit" value="Login">
        </td>
        <td> 
          <input type="reset" name="reset" value="Clear">
        </td>
      </tr>
    </table>

  </div>
</form>  
</body>
</html>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-05-08 20:23 UTC] chris at dvdplaza dot com dot au

When it fails under PHP 4.1.2, does it fail for ALL users or just SOME users?  We've been having sheer hell since upgrading to PHP 4.2 with exactly this - SOME people are having severe intermittent problems with reading cookies (ie sometimes they'll login okay, other times they keep being asked to login), others (such as myself) have no problem what-so-ever.

[2002-05-08 22:18 UTC] Lee dot Seldon at infotech dot monash dot edu dot au

Sequence of tests:
originally running php4.1.0
Un-installed that, installed php4.2.0 - found bug.
Un-installed php4.2.0, installed php4.1.2 - still bug.
Same behavior if Apache/php and Netscape on same machine (using 127.0.0.1 or localhost) or on different machines with different users.

[2002-05-09 01:34 UTC] chris at dvdplaza dot com dot au

I found the following on Zend's site:
----
FIX: 4.2.0 session SID broken
Sascha Schumann has posted a fix for problems with the session SID under 4.2.0. If you need it immediately, the fix can be found at http://apache.org/~sascha/php-420-session-fix, or will be available in 4.2.1 along with the other fixes since 4.2.0.
----
Sounds like it may resolve the issue we're having???

[2002-05-13 19:28 UTC] Lee dot Seldon at infotech dot monash dot edu dot au

14 May 2002
PHP 4.2.1, all other settings as before
Same behavior as 4.2.0 - on "submit" the login prompt immediately re-appears. So has NOT been fixed.
The last version for which this script works is 4.1.0
Lee

[2002-05-13 20:32 UTC] Lee dot Seldon at infotech dot monash dot edu dot au

The last version for which this script works on all my tested platforms (Win98-Win2000, Apache1.3.22, Netscape 4.75) is 4.0.6. Using the php4xx-installer.exe for MS Windows.
Also note that 4.0.6 does NOT register PHP in the MS Win registry, whereas versions >= 4.1.0 DO register it. Could the registry be causing problems with session variables? Just a question from an un-initiated user.
Lee

[2002-05-14 00:24 UTC] chris at dvdplaza dot com dot au

For f#cks sake, we STILL have this damn problem under 4.2.1 as well.  This is really starting to p#ss me off - we generate a HUGE amount of traffic, one of the top ten movie related sites in this country, and this session problem is causing viewers to constantly reload pages so that their bloody cookie logs them in - thus our bandwidth is shooting through the bloody roof (read $$$$$$$$$ down the toilet)...

[2002-05-14 00:30 UTC] rodif_bl@php.net

Can you supply a small script reproducing this problem also how frequent it happens?

every page view or random or every 10 page views?

_ brad

[2002-05-14 10:51 UTC] sander@php.net

I just tried the following script on Windows 2000 Pro and it works fine.
<?php
session_start();
print_r($_SESSION);
if(!isset($_SESSION['i'])) {
	$_SESSION['i'] = 0;
}
$_SESSION['i']++;
?>
Don't forget to set session.save_path in your php.ini! Also make sure the webserver has write access to that path.

[2002-05-15 00:43 UTC] Lee dot Seldon at infotech dot monash dot edu dot au

Here is a short version of my original script.
Behavior is similar to the original:
  php 4.0.6 - 2nd time it is run, shows "You are logged in"
  php 4.1.2, 4.2.1 - 2nd time it is run, prompts again for username and password, so has lost the $userSN session variable
<?
//Note: 
// ensure no headers are called!
    
	session_start(); // starting session
	// session variables must be global
	global $userSN;
	// registering session variables
	session_register("userSN");
	
// test if user is logged-in
?>
<html>
<head>
</head>
<body bgcolor="#FFFFFF">
<?
if(isset($userSN))
{
	printf("<H1>You have already logged in for this session.</H1><br>\n");
	printf("<center>To logout click <a href=\"logout.php\">here.</a></center>");
	printf("</body></html>");
	exit;
}

//Check Password IF userSN is NOT SET AND clicked Submit
if ($submit)  {

	$form_password = md5($form_password);
	$userSN = $form_username;

	if (isset($userSN))  {
		printf("<FONT size=5><b>Welcome to Provider Login</b></FONT><br>");
		printf("<FONT size=3>%s</FONT><br>\n",  $providerName);
		printf("<b><i>You are logged on from :</i></b> %s <br><br>\n", $REMOTE_ADDR);
	}
	else printf("<FONT size=5><b>ERROR setting session cookie</b></FONT><br>");

	printf("</body></html>");
	exit;
}  //END of SUBMIT 
?>

<form method="post" name="loginForm" action="loginphp.php">
  <div align="center">
    <table width="400" border="0" cellspacing="0" bgcolor="#E6E6E6">
      <tr> 
        <td align="right"><br>
          <font face="arial" size="2"><b>Username:</b></font></td>
        <td><br>
          <input NAME="form_username" value="" maxlength="12">
        </td>
      </tr>
      <tr> 
        <td align="right"><font face="arial" size="2"><br>
          <b>Password:</b></font></td>
        <td><br>
          <input NAME="form_password" type="password" maxlength="12">
        </td>
      </tr>
      <tr> 
        <td colspan="2" align="right"> 
          <input type="submit" name="submit" value="Login">
        </td>
      </tr>
    </table>

  </div>
</form>  
</body>
</html>

[2002-05-16 18:47 UTC] Lee dot Seldon at infotech dot monash dot edu dot au

In answer to Rasmus:
in php.ini, register_globals has always been On
Cookie warning in Netscape shows that a cookie is sent at the beginning of the session, but none is sent on "login".
There is a session file in /sessiondata, and it contains "userSN|N;" it does not contain my username.

[2002-05-22 01:37 UTC] Lee dot Seldon at infotech dot monash dot edu dot au

_SESSION code does not work in version 4.0.6 .
In my experience, $HTTP_SESSION_VARS[] also does not work in version 4.0.6. I still need session_register(...) in addition or instead of. 
session_register(...) does not work in versions > 4.1.0

[2002-06-15 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 12:00:01 2025 UTC