|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2002-05-29 14:41 UTC] dan at abledesign dot com
Situation: Working with PHP4's session functions, I've encountered a problem on a local install (PHP 4.2.1, Apache2 (could also be an Apache2 bug), Windows XP, MySQL 3.23.49) that does not exist with the same script on a Linux/Apache 1.x/PHP 4.1.2 installation with the same PHP configurations. It would appear to be a bug in PHP's handling of $_SESSION in certain situations, but it's possible something else is going on that has escaped my attention. Symptoms: Using $_SESSION as outlined in the PHP docs with session_start() and no session_register() for register_globals being turned off, logging into the script in question creates a session but does not write the actual session data (key/value pairs) to it. Just a session id and expiry. This happens with either the standard /tmp/ flatfile or MySQL (session_set_save_handler) session logging. Solution: The only thing I found that could get it to correctly write the session data is to replace $_SESSION with $HTTP_SESSION_VARS throughout the script. That doesn't make sense, since 4.2.1 is obviously more recent than the 4.1.0 release which added $_SESSION... Ok, one step down. More surprising is that on logging out, unset'ing the session variables is not "writing" the empty session to the database. It should leave the session id and expiry in place and wipe out the session data, but all remains untouched. The session variables themselves are being emptied (tested by echoing them to the browser), but that's it. unset($HTTP_SESSION_VARS['sess_id']); unset($HTTP_SESSION_VARS['sess_name']); or: unset($HTTP_SESSION_VARS); Neither of those approaches worked from the standpoint of changing the session (as opposed to the variables' values). The thing that I found which sort of works is to set the session variables to NULL instead of unset'ing them: $HTTP_SESSION_VARS['sess_id'] = NULL; $HTTP_SESSION_VARS['sess_name'] = NULL; That didn't exactly empty the session, but it did make it invalid, with the following session data resulting: sess_id|N;sess_name|N; as opposed to the valid format which might look like: sess_id|s:1:"1";sess_name|s:5:"admin"; For a username of "admin" and a id of "1". I guess that's better than nothing, but it isn't overly assuring that unset() doesn't work... I did find mention of what appears to be the same problem in another bug tracker report: http://bugs.php.net/bug.php?id=15923 Making the above outlined changes did not adversely affect the non-local installation of the script, so it appears to be a good balance if you need something to work on multiple server environments. A couple of other bug reports that are loosely related by may or may not be the same are: http://bugs.php.net/bug.php?id=17069 http://bugs.php.net/bug.php?id=16890 Thanks, Dan Kaplan PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Dec 26 13:01:30 2024 UTC |
Can you test the same no W2K ? Can't reproduce this on W2k, try this simple script and see if it works: --8<--- <? session_start(); if (isset($_REQUEST['key']) && isset($_REQUEST['value'])) { $GLOBALS[$_REQUEST['key']] = $_REQUEST['value']; session_register($_REQUEST['key']); echo "Registered {$_REQUEST['key']}.<br />\n"; } if (count($_SESSION) > 0) { echo "The following session variables are registered:<br />\n"; foreach ($_SESSION as $key => $value) { echo "$key => $value<br />\n"; } echo "<br />\n"; } ?> <hr /> <form action="<?=$_SERVER['PHP_SELF']?>" method="post"> Key: <input name="key"/><br /> Value: <input name="value"><br /> <input type="submit" /> </form> --8<--- Note: you've to refresh after a registration!> Given your response to my sample tells > me that sessions do work properly. The point of the report was not to say that sessions do not work (they obviously do, as shown by the fix I outlined above), rather that certain aspects of them do not appear to be properly supported in some environments. > I suspect a bug in the code you use or > the way you expect sessions to work. Ok, here is what I've got, in simplified form (no need for you to read through the extraneous hidden fields, MySQL queries, and what not): -- login form: print <<<HERE <form action="$PHP_SELF" method="GET"> <input type="text" name="username" value="" size="20" maxlength="15"> <input type="password" name="password" value="" size="20" maxlength="15"> <input type="submit" value="Submit"> </form> HERE; -- login processing script: (This is actually routed through an index page that starts the session, includes config and library files, page formatting, and includes the requested file, which is the login processing form in this case.) <?php session_start(); if (isset($_SESSION["sess_id"])) { // remove any existing sessions for this user unset($_SESSION["sess_id"]); unset($_SESSION["sess_name"]); } $sql = "SELECT * FROM Users WHERE Username='". addslashes($_GET["username"]) ."' AND Password='". addslashes($_GET["password"]) ."'"; $result = mysql_query($sql); if (!$result || (mysql_num_rows($result) < 1)) { // redirect to failed login prompt } else { $row = mysql_fetch_array($result); $_SESSION["sess_id"] = $row["ID"]; $_SESSION["sess_name"] = $_GET["username"]; // redirect to main page after setting the session echo "<script language=\"JavaScript\">window.location='index.php'</script>"; } ?> As explained above, that does not work on all servers. Doing the exact same thing but with $HTTP_SESSION_VARS in place of $_SESSION and not using unset() on the session variables does however work. Surely I'm not misunderstanding how sessions should work in this example? Thanks, Dan