php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18855 PHPSESSID, The Session Key is chagned in same page
Submitted: 2002-08-11 08:30 UTC Modified: 2014-08-09 20:05 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: number3 at windogs dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 4.2.2 OS: Linux 2.4.18
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: number3 at windogs dot com
New email:
PHP Version: OS:

Further comment on this bug is unnecessary.

 

 [2002-08-11 08:30 UTC] number3 at windogs dot com
Hi,

i have used the php session with pgsql handler, for user authencation.
but I find that the php session key, PHPSESSID is changed same page. that sistuation is not always, but a few time.


my debug code below.
--------------------------------------------
session_register("userinfo");
$q_update = "UPDATE session SET userid = '".$userinfo->id."' WHERE sesskey = '".$PHPSESSID."'";
pg_exec($conn, $q_update);
--------------------------------------------

the register value "userinfo" is class var.
in debug result, the empty PHPSESSID value, not null value value is recorded.
and Session key is threr changed.
1. orginal sesskey
2. empty sesskey
3. new sesskey

That result in no login because sesskey is changed.

why that cause ?

addition, why be The PHPSESSID empty value ?
that is not normal. that situtaion result in session share.
1. user A -> login with sesskey1(sucess)
2. user B -> login with sesskey2(sucess)
3. user A -> logout and new sesskey in empty value
4. user B -> logout and new sesskey in empty value
5. so A and B share same sesskey.
After that sistuation,
6. user A login sucessful, and 
user B load other page, that user B have user A's session value, so user A and B share session with empty sesskey.

That is prevented from php session lib that empty value of sesskey no permitted.

thanks for advanced.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-13 21:50 UTC] kalowsky@php.net
I'm not sure I understand this bug completely, so bare with me.  From what I gather, your code writes a new userid based upon the userinfo->id, where the PHPSESSID is.  From your example though I don't see how this could be possible as the $PHPSESSID won't change during the execution of the page.  

But in any case, can you please provide a short sample script to reproduce this?  It would help.
 [2002-09-19 13:24 UTC] kalowsky@php.net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


 [2014-08-09 20:05 UTC] rasmus@php.net
-Block user comment: No +Block user comment: Yes
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Dec 05 14:03:37 2021 UTC