php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #31369 session_destroy() and/or session_write_close() should unregister URL handler
Submitted: 2004-12-31 16:33 UTC Modified: 2012-03-29 09:29 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: baafie at planet dot nl Assigned: sas (profile)
Status: Wont fix Package: Session related
PHP Version: 4.3.10 OS: Linux Red hat 9 -2.4.20
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: baafie at planet dot nl
New email:
PHP Version: OS:

 

 [2004-12-31 16:33 UTC] baafie at planet dot nl
Description:
------------
According to the php manual, session_start() will register internal output handler for URL rewriting when trans-sid is enabled. Should session_destroy() and/or session_write_close() not unregister this handler?

Reproduce code:
---------------
<?php

ini_set ('session.use_trans_sid','1');
session_start();

echo '<a href="index.php">a page</a>\n';
session_destroy();
echo '<a href="index.php">a page</a>';

?>

Expected result:
----------------
Only the link that was printed before session_destroy() should contain the session ID:

<a href="index.php?PHPSESSID=2382309823823...">a page</a>
<a href="index.php">a page</a>

Actual result:
--------------
Both URLs contain the session ID;

<a href="index.php?PHPSESSID=2382309823823...">a page</a>
<a href="index.php?PHPSESSID=2382309823823...">a page</a>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-17 02:38 UTC] destes at ix dot netcom dot com
This is a potential security issue, since I read the manual as describing the behavior this bug expects (whereas the experienced behavior is very different).  The ability to keep session data private (especially SIDs) is very important and I don't think the developers intended trans-sid to extend beyond the use of sessions in a script (i.e., beyond where the session has been destroyed).

On a sidenote, you can avoid having trans-sid append your links by using absolute (rather than relative) URLs.

I recommend that the original submitter changes this back from Bogus, absolutely zero explanation was given as to why this isn't a bug, and I (personally) happen to disagree.

-Steve
 [2005-01-17 18:38 UTC] sniper@php.net
Assigning to the author of ext/session who can explain this / change it if he wishes.

 [2010-12-20 14:06 UTC] jani@php.net
-Package: Feature/Change Request +Package: Session related
 [2012-03-29 09:29 UTC] yohgaki@php.net
We are sorry, but we can not support PHP 4 related problems anymore.


 [2012-03-29 09:29 UTC] yohgaki@php.net
-Status: Assigned +Status: Wont fix
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 19:01:29 2024 UTC