|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #25084 session.referer_check is ignored by session_start() function
Submitted: 2003-08-13 18:42 UTC Modified: 2003-08-13 20:30 UTC
From: mrmax063 at maxempire dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4CVS-2003-08-13 (stable) OS: Windows XP
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
32 + 38 = ?
Subscribe to this entry?

 [2003-08-13 18:42 UTC] mrmax063 at maxempire dot com

I've recently discovered that session_start() function ignores session.referer_check settings. And to be sure, I even downloaded the latest release in the 4CVS series, but the problem remains.

For example, if domain name where script is located is "", the session.referer_check should be set to "". Now, according to documentation, if someone tries to access the script from another domain with valid session id embedded in the URL (i.e. by following <A> link whose HREF parameter points to, PHP should reset session id to another value. But, instead of this, session id that's specified in the URL is accepted (even though HTTP_REFERER field contains address of another domain).

Reproduce code:

ini_set('session.referer_check', '');


if (!isset($_SESSION['count']))
    $_SESSION['count'] = 0;

print('Counter: ' . $_SESSION['count'] . '<BR>');
print('Add this code to a page on *another* domain: &lt;A HREF="' . session_id() . '">HIJACK!&lt;/A><BR>');
print('HTTP_REFERER: ' . getenv('HTTP_REFERER'));


Expected result:
When above script is accessed from another domain via <A> HTML tag and session id is specified in the URL ("session.php?PHPSESSID=sessionid..."), session_start() function should reset session id to another value, since HTTP_REFERER contains address of another domain.

Actual result:
session_start() function accepts session id that's specified in the URL, even though HTTP_REFERER contains address of another domain.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-08-13 18:47 UTC] mrmax063 at maxempire dot com
I forgot to mention that I'm running PHP as server module under Apache 2.0.47 on Windows XP.
 [2003-08-13 20:02 UTC]
Are you register_globals on or off?
 [2003-08-13 20:30 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Dec 06 08:01:24 2019 UTC