php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #40973 session don't work if used $_SERVER in any way
Submitted: 2007-04-01 16:12 UTC Modified: 2007-04-05 10:21 UTC
Votes:2
Avg. Score:3.0 ± 2.0
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: krassesache at gmx dot net Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.1 OS: WinXP SP2
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2007-04-01 16:12 UTC] krassesache at gmx dot net 
Description:
------------
if i use $_SERVER in any way but with pdo statements [ $stmt->execute(array($_SERVER['REMOTE_ADDR'])) ] a session will not work.

in my example i first open foobar.php and then foobar2.php. if remove the 4th line in foobar2.php [ $var = $_SERVER['REMOTE_ADDR']; ] the the text "bar" appears but with the line, nothing happens. in other case is used preg_match('#MSIE#',$_SERVER['HTTP_USER_AGENT']) with the result that the website will be shown but the session dont work (the original problem).

Reproduce code:
---------------
=> foobar.php
<?php

session_start();
$_SESSION['foo'] = 'bar';

?>

=> foobar2.php
<?php

session_start();
$var = $_SERVER['REMOTE_ADDR'];
echo $_SESSION['foo'];

?>

Expected result:
----------------
bar

Actual result:
--------------
<nothing>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-04-03 18:58 UTC] tony2001@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

Works perfectly fine.
 [2007-04-04 16:01 UTC] krassesache at gmx dot net 
i also used php 5.2 with the same result.
 [2007-04-04 16:04 UTC] tony2001@php.net 
Cannot reproduce.
 [2007-04-04 16:24 UTC] krassesache at gmx dot net 
ich got it!!!

if i set

session.referer_check = 1
session.referer_check = 0

in php.ini, the problem appears
if i set it to

session.referer_check = 

the session will work?!
 [2007-04-04 18:06 UTC] tony2001@php.net 
Works perfectly fine whatever I do and doesn't depend on the value ofsession.referer_check.
 [2007-04-04 18:31 UTC] krassesache at gmx dot net 
okay, dont know why but in my case it's the reason. maybe a very specific problem. never mind...
 [2007-04-04 18:46 UTC] tony2001@php.net 
Please provide some more information on your environment: the webserver used, server API (cgi or module).
Do you have any firewalls that might affect it?
Are you sure the code provided is enough to reproduce it?
 [2007-04-05 00:39 UTC] krassesache at gmx dot net 
okay,
no firewall / windows firewall is off

phpinfo() of my localhost: http://blakkcooper.de/phpinfo.php.html
you see session.referer_check is set to "no value". no matter if i set it to "0" or "1", the sessions don't work. it works only with "no value".

i tested the example again and this happened:

opened http://localhost --> no session established (normal)
opened http://localhost/foobar.php --> new session established
opened http://localhost/foobar2.php --> a NEW SESSION was established (news SESSID)

i tested this with firefox 2.0.0.2, opera 9.02 and session.referer_check = 0
it's nuts! my example works sometimes, sometimes not?! it seems that  it's random... on my website it works NEVER. it's like god will fuck me up -.-
 [2007-04-05 00:56 UTC] scottmac@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

session.referer_check is used to see if a substring is present in the referrer, its not a boolean flag.
 [2007-04-05 10:12 UTC] krassesache at gmx dot net 
i see... it's not a bug, it a feature :D
 [2007-04-05 10:21 UTC] krassesache at gmx dot net 
; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.

session.referer_check --> string

damn it >.< selfowned
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Apr 29 16:01:31 2024 UTC