php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36328 Random vhosts and .htaccess configuration leaks
Submitted: 2006-02-08 02:48 UTC Modified: 2006-06-10 23:47 UTC
Votes:7
Avg. Score:5.0 ± 0.0
Reproduced:6 of 6 (100.0%)
Same Version:3 (50.0%)
Same OS:3 (50.0%)
From: technophreak at gammae dot com Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 5.1.2, Latest CVS OS: Fedora Core 4
Private report: No CVE-ID: None
 [2006-02-08 02:48 UTC] technophreak at gammae dot com
Description:
------------
Problem is similar to BUG #25753

I am running Apache 2.0.55

I have seen this bug with PHP 5.0.5 also.

Some configuration gets leaked into random vhosts.

Reproduce code:
---------------
Let's have 3 different web sites using 3 vhosts.

One of those vhost, lets call it vhost A, I set a .htaccess file into the document_root folder:

php_flag session.use_trans_sid on
php_flag session.use_cookies off

-

If I load a page wich has a session ID already set in the cookies in Vhost B or C, the session ID will be changed as if I would load the page with no cookie.

Here is a really simple code: <? print session_id(); ?>

Note: This happens maybe 1 time on 50 so you have to refresh the page a lot of times.


Expected result:
----------------
Should print ALWAYS the same session ID as long as the session doesnt expire.

Actual result:
--------------
Sometimes, the session ID changes because session does not use cookies because the VHOST A .htaccess leaked to VHOST B.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-08 15:55 UTC] technophreak at gammae dot com
Changed the Summary to something people will expect to look for if they have the same problem.
 [2006-02-11 13:23 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.1-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.1-win32-latest.zip


 [2006-02-19 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2006-04-30 21:35 UTC] technophreak at gammae dot com
I've just tried with BUILD Apr 30 2006 16:49:02 in Latest CVS, same
problem occurs.

Similar bug report: #36257
 [2006-06-09 15:27 UTC] mike@php.net
Dupe of bug #36257
Please try the next CVS snapshot.

 [2006-06-10 23:47 UTC] technophreak at gammae dot com
Seems to solve the problem with latest CVS, however, 5.2.0 is not compatible with Zend Optimizer which causes me a problem. When will this fix be included in stable realease ?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 05:01:28 2024 UTC