php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #4127 session restarted after session_destroy()
Submitted: 2000-04-13 03:53 UTC Modified: 2000-10-22 12:32 UTC
From: m2 at megar dot easynetbox dot net Assigned:
Status: Closed Package: Session related
PHP Version: 3.0.16 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: m2 at megar dot easynetbox dot net
New email:
PHP Version: OS:

 

 [2000-04-13 03:53 UTC] m2 at megar dot easynetbox dot net
php4rc1

The following script creates a session containing "ses_sToto="session OK".
Load it with your browser.
Verify that the session is created by reloading the page.
Destroy the session and verify that the session no longer exists in /tmp.
Refresh the page in your browser: a new session is created, but it has the same SID !

As the cookie still exists in the browser, the browser sends it to the script, and PHP, create the session, with the given SID.

Php should generate a new SID if the SID given by the browser does not exist.

The problem is that with a login/passwd registering function, a session can be restarted by pushing the 'back' button in the browser.

<?php
 session_start();
 session_register("ses_sToto");

 print("session_id()=".session_id());
 if ($ses_sToto=="")
  $ses_sToto="session OK";
?>

./configure  --with-mysql --with-apache=../apache_1.3.12 --enable-track-vars



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-10-22 12:32 UTC] sas@php.net
After destroying a session, the session id becomes meaningless. So, it does not make any difference whether we create a new sid or reuse the old one.

The example you give does not apply as no data is associated with the session anymore at that point.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Aug 17 05:05:45 2022 UTC