php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #3411 Transparent sessions breaking randomly
Submitted: 2000-02-05 09:40 UTC Modified: 2000-08-01 09:32 UTC
From: mian at thirty4 dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4.0 Beta 3 OS: Linux
Private report: No CVE-ID: None
 [2000-02-05 09:40 UTC] mian at thirty4 dot com
With transparent session ids turned on, and cookies disabled, the auto sid function sometimes breaks on urls that have other variables passed on the url.

SID inserted:
href="skinview.php??sid=2a5ae9d5d09a578644ed872068ba443carea=winamp2&skin=Metallic+Nebula"

Original script:
href="skinview.php?area=winamp2&skin=Metallic+Nebula"

SID inserted:
href="profile.php?user=&sid=2a5ae9d5d09a578644ed872068ba443cshark3000"

Original script:
href="profile.php?user=shark3000"

Problem only occurs on some URLS on some of the pages, is real random, wish i could find the connection on the broken URLS.  See http://beta.skinz.org for more live demo.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-02-05 19:30 UTC] mian at thirty4 dot com
With transparent session ids turned on, and cookies disabled, the auto sid function
sometimes breaks on urls that have other variables passed on the url.

SID
inserted:
href="skinview.php??sid=2a5ae9d5d09a578644ed872068ba443carea=winamp2&skin=Metallic+Nebula"

Original script:
href="skinview.php?area=winamp2&skin=Metallic+Nebula"

SID inserted:
href="profile.php?user=&sid=2a5ae9d5d09a578644ed872068ba443cshark3000"

Original script:
href="profile.php?user=shark3000"

Problem only occurs on some URLS on some of the pages, is real random, wish i could find
the connection on the broken URLS.  See http://beta.skinz.org for more live demo.

[update]
Problem is when you have half HTML / PHP URLs, the sid inserts itself before the PHP is parsed.  Above script was
<a href="/skinview.php?area=<? echo $row->area; ?>&skin=< echo urlencode($row->name); ?>">, the 
sid is being inserted after the area= and then the PHP is parsed and added to the end of the
sid.  I suggest parsing the full URL until the closing " of the href is found before inserting
the sid.  Fixed code: <? echo "&lt;a href=\"/skinview.php?area=$row-&gt;area&skin=".urlencode($row-&gt;name)."\"&gt;"; ?&gt;

Please notify if/when this is fixed as the site is due to 
open March 1st.  Great work with the transparent sid's all up though, it saves alot of time on developing large sites.
 [2000-02-05 19:31 UTC] mian at thirty4 dot com
With transparent session ids turned on, and cookies disabled, the auto sid function
sometimes breaks on urls that have other variables passed on the url.

SID
inserted:
href="skinview.php??sid=2a5ae9d5d09a578644ed872068ba443carea=winamp2&skin=Metallic+Nebula"

Original script:
href="skinview.php?area=winamp2&skin=Metallic+Nebula"

SID inserted:
href="profile.php?user=&sid=2a5ae9d5d09a578644ed872068ba443cshark3000"

Original script:
href="profile.php?user=shark3000"

Problem only occurs on some URLS on some of the pages, is real random, wish i could find
the connection on the broken URLS.  See http://beta.skinz.org for more live demo.

[update]
Problem is when you have half HTML / PHP URLs, the sid inserts itself before the PHP is parsed.  Above script was
<a href="/skinview.php?area=<? echo $row->area; ?>&skin=< echo urlencode($row->name); ?>">, the 
sid is being inserted after the area= and then the PHP is parsed and added to the end of the
sid.  I suggest parsing the full URL until the closing " of the href is found before inserting
the sid.  Fixed code: <? echo "<a href=\"/skinview.php?area=$row->area&skin=".urlencode($row->name)."\">"; ?>

Please notify if/when this is fixed as the site is due to 
open March 1st.  Great work with the transparent sid's all up though, it saves alot of time on developing large sites.
 [2000-07-18 09:36 UTC] hholzgra at cvs dot php dot net
this is a transcript from phpdev list that should explain 
what's wrong here:

On Mon, 3 Jul 2000, Hartmut Holzgraefe wrote:
> there is some problem related to the interaction of output buffering
> (i guess) and --trans-sid-id url rewriting
> 
> the problem is that the function performing the actual rewrite
> (url_scanner() in ext/standard/url_scanner.c) will be provided 
> with chunks of data that may contain incomplete parts of an url
> spanning across a buffer boundary
> 
> as the url_scanner() does not know that it was provided with 
> incomplete data it will attach the session id parameter to the 
> end of the url as it appears in the buffer passed into it as a
> parameter, and in the next step the remaining part of the url
> located at the very beginning of the next chunk of output is
> appended to the session id parameter just added, with the final
> result of an url with the session id parameter stuffed into the
> middle of the url

    Correct analysis.

    The fix is to make the url scanner context-sensitive, so that
    it will buffer and correctly patch URLs. 
    
    Please use output buffering in the meantime.

    - Sascha
 [2000-07-18 09:42 UTC] hholzgra at cvs dot php dot net
changed to 'session related'
 [2000-07-28 17:53 UTC] hholzgra@php.net
ok, i'll go for it
 [2000-08-01 09:32 UTC] hholzgra@php.net
the rewrite is in CVS now

 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Aug 11 17:05:44 2022 UTC