PHP :: Bug #24380 :: session side-effect bug

Bug #24380	session side-effect bug
Submitted:	2003-06-28 18:39 UTC	Modified:	2003-06-28 23:38 UTC
From:	akukin at ihug dot co dot nz	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	4.3.2	OS:	win2k & linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-06-28 18:39 UTC] akukin at ihug dot co dot nz

Description:
------------
1.
After running the following source code I get:
================================================
Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0
================================================
I expect no such warning as I am not using any register_globals etc I am only using the suggested session handling API: session_start & $_SESSION array.

2. Also found:

By changing the last 2 lines to:
//$_SESSION["test"] = NULL;
unset($_SESSION["test"]);

warning disappears.

By changing "$test = " to "$test2 = " warning disappears either.


Shall it be the feature I would appreciate if you send me an explanation of this feature as it does not make any sense to me.

Reproduce code:
---------------
<?
session_start();

$test = 
  isset($_SESSION["test"]) 
  ? $_SESSION["test"]
  : "test";

$_SESSION["test"] = NULL;
//unset($_SESSION["test"]);
?>


Expected result:
----------------
I expect not to have this warning as I am not using any register_globals etc I am only using the suggested session handling API: session_start & $_SESSION array.

Actual result:
--------------
Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-06-28 20:54 UTC] sniper@php.net

Is register_globals on or off? Try this:

<?php echo ini_get('register_globals'); ?>

[2003-06-28 22:33 UTC] sniper@php.net

Just set "session.bug_compat_42 = 0" in your php.ini.
(or if you're using apache, in .htaccess file, using php_value)

The error message clearly says:
 
"..unless register_globals is enabled.."

"..You can disable this functionality and this warning by 
setting session.bug_compat_42 or session.bug_compat_warn to off.."

And btw. correct way to unset session variables is to use 'unset()', and this error message actually tells you that you're doing something wrong.

[2003-06-28 22:59 UTC] akukin at ihug dot co dot nz

>Just set "session.bug_compat_42 = 0" in your php.ini

You are asking me to hide the bug (maybe my bug maybe PHP one). Of course I will do this for my little app when it i deployed but I just want this feature to be treated as BUG unless there is an explanation to it! I did try to set session.bug_compat_42 to OFF before submitting the bug report. Yes, it did hide it - but this is not a solution as the message clearly says I am doing the WRONG thing. 

So, what wrong thing (bug) am I doing??? And if none - it is clearly PHP bug.

>And btw. correct way to unset session variables is to use 'unset()'
Well, you are right that to unset the variable you use unset but what if I do not want to unset it but just want to NULL its value???

>and this error message actually tells you that you're doing >something wrong.  
What am I doing wrong? Should the warning let me know (at least) line number of the "wrong code"? I want to correct my code rather than "hide the bug" or I want to flag this PHP bug so that it is fixed in the subsequent PHP release

[2003-06-28 23:38 UTC] sniper@php.net

By setting session.bug_compat_42 to 0 (off), you DISABLE the bug/side-effect (feature to some users..). 

You can safely ignore it. Just keep the ini setting  
"session.bug_compat_42" off. It's only there to allow
people who rely on this misbehaviour to keep their old
scripts working.

And yes, you were doing the wrong thing, but ONLY as you had not disabled the bug.

[2004-07-06 05:04 UTC] chanbangyuan at yahoo dot com

This is not a bug, the default register_globals has changed from On to OFF since PHP 4.2.0 to discourage developers to write insecure code. This is explained in:

http://cn.php.net/manual/en/security.globals.php

If you don't mind your code to be less secure, just change register_globals = on in your php.ini

Otherwise, use the new $_SESSION as described in the PHP manual "Session handling functions":

[Use of $_SESSION (or $HTTP_SESSION_VARS with PHP 4.0.6 or less) is recommended for improved security and code readablity. With $_SESSION, there is no need to use the session_register(), session_unregister(), session_is_registered() functions. Session variables are accessible like any other variables. ]

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Sep 27 22:01:26 2024 UTC