PHP :: Bug #41131 :: Sessions are leaked when using Apache's UserDir function

Bug #41131	Sessions are leaked when using Apache's UserDir function
Submitted:	2007-04-18 13:26 UTC	Modified:	2007-04-18 13:40 UTC
From:	erik-php at vanpienbroek dot nl	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5.2.1	OS:	CentOS Linux 4.4
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	erik-php at vanpienbroek dot nl
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-04-18 13:26 UTC] erik-php at vanpienbroek dot nl

Description:
------------
Hi,

I'm the administrator of a webserver which is used by a school to
serve websites for students. All the individual websites are
published using the UserDir function from PHP (so we don't use
VHosts).

Say there are 2 Apache UserDirs available, /home/a and /home/b
(which are reachable from http://myhost/a and http://myhost/b).
Both UserDirs contain the attached index.php script.

When you open your browser and navigate to http://myhost/a you'll
get the message 'my_var set'. If you refresh this page you'll get
the message 'my_var = hello world!'.

When you navigate to http://myhost/b using the same browser window
you get the message 'my_var = hello world!'. This isn't the expected
behaviour as both URL's are actually seperate websites and thus
should have a seperate session.

This way it is possible for seperate UserDirs to see each other session data (assuming that the user navigates to both UserDirs
from the same browser window). When Apache modules like
mod_suid/mod_ruid are used this behaviour triggers 'permission denied'
errors as the session file is created with the ownership of
the user belonging to the first UserDir request and later
being opened by the user belonging to the other UserDir (and fails).

Would it be possible for PHP to find out if a Apache request
is pointing to a UserDir and if so, create a new session for it?

Thanks in advance.

Reproduce code:
---------------
<?
session_start();

if (!isset($_SESSION['my_var'])) {
        $_SESSION['my_var'] = "hello world!";
        echo "my_var set\n";
} else {
        echo "my_var = " . $_SESSION['my_var'] . "\n";
}
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-04-18 13:40 UTC] mike@php.net

Set the "session.cookie_path" INI setting per UserDir.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 30 04:01:30 2024 UTC