PHP :: Bug #43451 :: Session data got loaded multiple times for different users

Bug #43451	Session data got loaded multiple times for different users
Submitted:	2007-11-29 15:09 UTC	Modified:	2008-02-03 01:00 UTC
From:	mg at memedia dot de	Assigned:
Status:	No Feedback	Package:	Session related
PHP Version:	5.2.5	OS:	GNU/Debian 4.0
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mg at memedia dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-11-29 15:09 UTC] mg at memedia dot de

Description:
------------
A customer was forwarded to me on the phone today, telling me she would see the customer area of another customer on our online-shop. 

That's was indeed very surprising. The site uses no client side cookies, except the one form the php session management. 

Anyway, she got on our site by typing in the URL into the address bar, no injections and stuff. Moreover i found out that she was not the only one with the "problem".

From 12:14:28 to 13:57:36 i count about 10 different IP adresses with different browsers in our logs that used ONE session (d28b9616a3013ef6441f8e4383d7e05b). The session must have been loaded multiple times, because we put that data also in our db-based user-tracking.

It seems the session was started different times with the same SessionID. There was no session id given by URL or cookie. People came according to the referer from different sites.

As i said we use the PHP session managment. There are about 20-30 people most of the time online. Not every one was affected.

The file itself (under /var/lib/php5) seems to be ok. 


We're using the distribution from dotdeb.org on our servers.


Any clues where the problem could hang? Is it Apache or PHP? How ist the has for the session file created?

I guess i will add an IP-referer and Browser User Agent check first to avoid the problem in future.



Reproduce code:
---------------
--

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-01-26 01:05 UTC] jani@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

[2008-02-03 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 21:01:31 2024 UTC