php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #4127 session restarted after session_destroy()
Submitted: 2000-04-13 03:53 UTC Modified: 2000-10-22 12:32 UTC
From: m2 at megar dot easynetbox dot net Assigned:
Status: Closed Package: Session related
PHP Version: 3.0.16 OS: Linux
Private report: No CVE-ID: None
 [2000-04-13 03:53 UTC] m2 at megar dot easynetbox dot net
php4rc1

The following script creates a session containing "ses_sToto="session OK".
Load it with your browser.
Verify that the session is created by reloading the page.
Destroy the session and verify that the session no longer exists in /tmp.
Refresh the page in your browser: a new session is created, but it has the same SID !

As the cookie still exists in the browser, the browser sends it to the script, and PHP, create the session, with the given SID.

Php should generate a new SID if the SID given by the browser does not exist.

The problem is that with a login/passwd registering function, a session can be restarted by pushing the 'back' button in the browser.

<?php
 session_start();
 session_register("ses_sToto");

 print("session_id()=".session_id());
 if ($ses_sToto=="")
  $ses_sToto="session OK";
?>

./configure  --with-mysql --with-apache=../apache_1.3.12 --enable-track-vars



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-10-22 12:32 UTC] sas@php.net
After destroying a session, the session id becomes meaningless. So, it does not make any difference whether we create a new sid or reuse the old one.

The example you give does not apply as no data is associated with the session anymore at that point.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Aug 15 21:05:49 2022 UTC