php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #24693 session.use_trans_sid should changeable by scripts
Submitted: 2003-07-17 12:57 UTC Modified: 2003-12-14 18:21 UTC
From: chris_se at gmx dot net Assigned:
Status: Closed Package: Feature/Change Request
PHP Version: 4.3.2 OS: GNU/Linux
Private report: No CVE-ID:
 [2003-07-17 12:57 UTC] chris_se at gmx dot net
Description:
------------
According to http://de3.php.net/manual/de/function.ini-set.php you may not alter session.use_trans_sid in PHP scripts, because it is only changeable in PHP_INI_SYSTEM|PHP_INI_PERDIR.

I do not know why this is so, but in my eyes it should at least be possible to deactivate this option at runtime.

Reproduce code:
---------------
<?php

ini_set ('session.use_trans_sid', 0);
session_start ();

?>
<a href="a.php">Test</a>


Expected result:
----------------
In an environment with 'session.use_trans_sid' activated in the php.ini file or in a .htaccess file, it should *not* append the session id to the link:

<a href="a.php">Test</a>

Actual result:
--------------
The session id is appended to the link and not even an error or notice ist produced:

<a href="a.php?PHPSESSID=...">Test</a>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-07-18 09:24 UTC] wez@php.net
The decision to enable the rewriter is made before your script starts running.
Once it has started it cannot be turned off again.
 [2003-07-18 09:39 UTC] chris_se at gmx dot net
Why is that so? In my eyes, the point that makes sense for the rewriter to be started, is session_start().

Furthermore: If I kind of 'deactivate' the rewriter by ini_set ('url_rewriter.tags', ''); it also has effect on links that were already sent to output:

---------------------------------------
<?php

session_start ();

?>
<a href="a.php">Test</a>
<?php
ini_set ('url_rewriter.tags', '');
?>
<a href="a.php">Test</a>
---------------------------------------

will generate:

<a href="a.php">Test</a>
<a href="a.php">Test</a>

whereas 

---------------------------------------
<?php

session_start ();

?>
<a href="a.php">Test</a>
<?php
// ini_set ('url_rewriter.tags', '');
?>
<a href="a.php">Test</a>
---------------------------------------

appends the session id to both links.

Therefore I don't quite understand why deactivating the rewriter before session_start() is not possible whereas modifying it is even possible after session_start() and even after output that has to be rewritten was already generated.
 [2003-07-19 05:45 UTC] chris_se at gmx dot net
I tried to figure out myself how this could be solved. I just changed the definition of session.use_trans_sid to PHP_INI_ALL and I recompiled my PHP module.

Now, I can change session.use_trans_sid before session_start() is called and it works fine.

Here's the 'patch' (against PHP 4.3.2):

---------------------------------------------------------
--- ext/session/session.c.old	2003-07-19 12:29:58.000000000 +0200
+++ ext/session/session.c	2003-07-19 12:34:31.000000000 +0200
@@ -151,7 +151,7 @@
 	STD_PHP_INI_ENTRY("session.entropy_length",     "0",         PHP_INI_ALL, OnUpdateInt,    entropy_length,     php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cache_limiter",      "nocache",   PHP_INI_ALL, OnUpdateString, cache_limiter,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cache_expire",       "180",       PHP_INI_ALL, OnUpdateInt,    cache_expire,       php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.use_trans_sid",    "0",         PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   use_trans_sid,      php_ps_globals,    ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_trans_sid",    "0",         PHP_INI_ALL, OnUpdateBool,   use_trans_sid,      php_ps_globals,    ps_globals)
 
 	/* Commented out until future discussion */
 	/* PHP_INI_ENTRY("session.encode_sources", "globals,track", PHP_INI_ALL, NULL) */
---------------------------------------------------------
 [2003-07-19 06:20 UTC] alan at akbkhome dot com
see  http://bugs.php.net/bug.php?id=14991 
- this wont really fix it

I agree it's a feature request - it would have to be a function like session_use_transid(true|false) as there is no mechanism for ini_set to check whether output has started...
 [2003-07-19 06:52 UTC] chris_se at gmx dot net
> as there is no mechanism for ini_set to check whether output has started

There is a mechanism: these OnUpdate*-functions. I added a function OnUpdateTransSid which is essentially the OnUpdateBool function definied within Zend/zend_ini.c but with an if-block in front of it, if the session was already started. (the if-block was taken from another OnUpdate-function that was in session.c)

It probably would be cleaner to call OnUpdateBool directly instead of just copying the code, but as all those functions are defined by precompiler macros, I assume the parameters of these functios could change, so just copying the code from OnUpdateBool seems to be more portable to me.

Here are my changes so far: (tested with PHP 4.3.2)

-----------------------------------------------------------------------
--- ext/session/session.c.old	2003-07-19 12:29:58.000000000 +0200
+++ ext/session/session.c	2003-07-19 13:46:33.000000000 +0200
@@ -105,6 +105,32 @@
 	return SUCCESS;
 }
 
+static PHP_INI_MH(OnUpdateTransSid)
+{
+	if (PS(session_status) == php_session_active) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "A session is active. You cannot change the session module's ini settings at this time.");
+		return FAILURE;
+	}
+
+	zend_bool *p;
+#ifndef ZTS
+	char *base = (char *) mh_arg2;
+#else
+	char *base;
+
+	base = (char *) ts_resource(*((int *) mh_arg2));
+#endif
+
+	p = (zend_bool *) (base+(size_t) mh_arg1);
+
+	if (strncasecmp("on", new_value, sizeof("on"))) {
+		*p = (zend_bool) atoi(new_value);
+	} else {
+		*p = (zend_bool) 1;
+	}
+	return SUCCESS;
+}
+
 static PHP_INI_MH(OnUpdateSerializer)
 {
 	if (PS(session_status) == php_session_active) {
@@ -151,7 +177,7 @@
 	STD_PHP_INI_ENTRY("session.entropy_length",     "0",         PHP_INI_ALL, OnUpdateInt,    entropy_length,     php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cache_limiter",      "nocache",   PHP_INI_ALL, OnUpdateString, cache_limiter,      php_ps_globals,    ps_globals)
 	STD_PHP_INI_ENTRY("session.cache_expire",       "180",       PHP_INI_ALL, OnUpdateInt,    cache_expire,       php_ps_globals,    ps_globals)
-	STD_PHP_INI_BOOLEAN("session.use_trans_sid",    "0",         PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   use_trans_sid,      php_ps_globals,    ps_globals)
+	STD_PHP_INI_BOOLEAN("session.use_trans_sid",    "0",         PHP_INI_ALL, OnUpdateTransSid, use_trans_sid,      php_ps_globals,    ps_globals)
 
 	/* Commented out until future discussion */
 	/* PHP_INI_ENTRY("session.encode_sources", "globals,track", PHP_INI_ALL, NULL) */
-----------------------------------------------------------------------
 [2003-12-14 18:21 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

This is now possible in PHP 5.0.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 19:01:51 2014 UTC