PHP :: Bug #21093 :: PHPSESSID not being added to form action="" if input type="image" used

Bug #21093	PHPSESSID not being added to form action="" if input type="image" used
Submitted:	2002-12-19 03:28 UTC	Modified:	2003-01-01 06:22 UTC
From:	jc at mega-bucks dot co dot jp	Assigned:
Status:	Closed	Package:	Session related
PHP Version:	4.2.3	OS:	Red Hat Linux 7.2
Private report:	No	CVE-ID:	None

View Developer Edit

[2002-12-19 03:28 UTC] jc at mega-bucks dot co dot jp

I have session.auto_start = 1 in my php.ini. I find that the SID is not being added to a form's action="" value if the form contains a <input type="image"> tag ...

This is a serious bug as it causes sessions to be lost if <input type="image"> buttons are used in a form.

Pasted below is the output of PHP for one of my page swhere I use a form and in it there is an <input type="image"> tag. As you can see the SID is added to the src="" of the image but not to the action="" field of the form, where I believe it is the right place to put it ...

Jc

<form name="write" action="/hashi/html/market/market.html" method="GET" style="margin:0px";>
<input type="hidden" name="write_review" value="true">
<input type="hidden" name="body" value="details">
<input type="hidden" name="pid" value="489000401024">
<table width="650" border="0" cellspacing="0" cellpadding="0">
 <tr valign="top"> 
  <td width="65"> 
   <div class="marginleft20"><img src="img/yajirushi_review.gif" width="25" height="42" alt=""></div>
  </td>
  <td width="445" valign="bottom"><span class="size12">̴???ˤʤäƸ??ޤ??????????ʴ?ư??ʤ??⥫?????ޡ????ӥ塼?ؽ???ߤޤ???????????ޡ????ӥ塼?Ǥϥ桼??????????ȿ?????????????????ޤ???</span></td>
  <td width="140" valign="bottom" align="right"><input type="image" name="toukou" src="img/b_writereview.gif?PHPSESSID=046e74dbd20eca0eb4f2fce3896dbc5e" width="118" height="23" alt="???ӥ塼??????" border="0"></td>
 </tr>

</table>
</form>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-12-19 18:52 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-latest.zip

[2003-01-01 04:21 UTC] jc at mega-bucks dot co dot jp

I installed 4.3.0 and could not recreate the bug. The session ID is now correctly added as a <input type="hidden" ...> field inside the <form> </form> tags.

Still curious as to what was causing the bug, but since it's fixed I'm quite happy to leave it at that.

Thanks!

[2003-01-01 06:22 UTC] derick@php.net

Reported fixed, so we cloase it.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Sep 12 11:00:01 2025 UTC