|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18855 PHPSESSID, The Session Key is chagned in same page
Submitted: 2002-08-11 08:30 UTC Modified: 2014-08-09 20:05 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: number3 at windogs dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 4.2.2 OS: Linux 2.4.18
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2002-08-11 08:30 UTC] number3 at windogs dot com

i have used the php session with pgsql handler, for user authencation.
but I find that the php session key, PHPSESSID is changed same page. that sistuation is not always, but a few time.

my debug code below.
$q_update = "UPDATE session SET userid = '".$userinfo->id."' WHERE sesskey = '".$PHPSESSID."'";
pg_exec($conn, $q_update);

the register value "userinfo" is class var.
in debug result, the empty PHPSESSID value, not null value value is recorded.
and Session key is threr changed.
1. orginal sesskey
2. empty sesskey
3. new sesskey

That result in no login because sesskey is changed.

why that cause ?

addition, why be The PHPSESSID empty value ?
that is not normal. that situtaion result in session share.
1. user A -> login with sesskey1(sucess)
2. user B -> login with sesskey2(sucess)
3. user A -> logout and new sesskey in empty value
4. user B -> logout and new sesskey in empty value
5. so A and B share same sesskey.
After that sistuation,
6. user A login sucessful, and 
user B load other page, that user B have user A's session value, so user A and B share session with empty sesskey.

That is prevented from php session lib that empty value of sesskey no permitted.

thanks for advanced.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-13 21:50 UTC]
I'm not sure I understand this bug completely, so bare with me.  From what I gather, your code writes a new userid based upon the userinfo->id, where the PHPSESSID is.  From your example though I don't see how this could be possible as the $PHPSESSID won't change during the execution of the page.  

But in any case, can you please provide a short sample script to reproduce this?  It would help.
 [2002-09-19 13:24 UTC]
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.

 [2014-08-09 20:05 UTC]
-Block user comment: No +Block user comment: Yes
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 22:01:32 2024 UTC