php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #45380 [PATCH] Access multiple sessions in a request
Submitted: 2008-06-27 17:25 UTC Modified: 2013-06-27 21:53 UTC
Votes:8
Avg. Score:4.6 ± 0.7
Reproduced:8 of 8 (100.0%)
Same Version:2 (25.0%)
Same OS:4 (50.0%)
From: jerome dot auge at anakeen dot com Assigned: yohgaki
Status: Assigned Package: *General Issues
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-06-27 17:25 UTC] jerome dot auge at anakeen dot com
Description:
------------
I want to access two distinct sessions content, but I only get access to 
the first session, and the second session_name/session_start does not 
change the content of the $_SESSION variable which remains the same as 
the first one.

After investigation, when switching session with a call to 
session_name('another_session')+session_start(), the session ID from the 
first session_start() is re-used, and the sess ID from the new session 
name 'another_session' is not used.

Reproduce code:
---------------
1) Call 'set_sess1.php' to set a session named 'sess1':

<?php
session_name('sess1');
session_start();
$session_id = session_id();
$cookie = $_COOKIE['sess1'];
$_SESSION['sess1']='session1:'.$session_id;
print "cookie = ".$cookie."\n";
print "session_id = ".$session_id."\n";
print "_SESSION = ".$_SESSION['sess1']."\n";
session_write_close();
?>

2) Call 'set_sess2.php' to set a session named 'sess2':

<?php
session_name('sess2');
session_start();
$session_id = session_id();
$cookie = $_COOKIE['sess2'];
$_SESSION['sess2']='session2:'.$session_id;
print "cookie = ".$cookie."\n";
print "session_id = ".$session_id."\n";
print "_SESSION = ".$_SESSION['sess2']."\n";
session_write_close();
?>

3) Try to access both session variables in 'get_sess.php':

<?php
session_name('sess1');
session_start();
$sess1 = $_SESSION['sess1'];
session_write_close();

session_name('sess2');
session_start();
$sess2 = $_SESSION['sess2'];
session_write_close();

foreach ($_COOKIE as $k => $v) {
        print "_COOKIE[$k] = $v\n";
}
print "sess1 = $sess1\n";
print "sess2 = $sess2\n";
?>

Expected result:
----------------
In 'get_sess.php', I expect to get access to the content of the 'sess2' 
session by issuing a new session_name('sess2')+session_start(), but the 
content of _SESSION remains the one from 'sess1'.

Expected output from 'get_sess.php':

  _COOKIE[sess1] = n0f57lap2oabeqvfc6t6c0ap60
  _COOKIE[sess2] = b4s2sr976f4qrbkimfh0i6kqm0
  sess1 = session1:n0f57lap2oabeqvfc6t6c0ap60
  sess2 = session2:b4s2sr976f4qrbkimfh0i6kqm0

Actual result:
--------------
Actuel output from 'get_sess.php':

  _COOKIE[sess1] = 2ot2t22ccq0t9de2edhgcrh4h4
  _COOKIE[sess2] = rt8jr3e6esvmp88id0e4o05091
  sess1 = session1:2ot2t22ccq0t9de2edhgcrh4h4
  sess2 =

The script also issue a "Set-Cookie: sess2=<value_from_sess1>", and I 
end up with the cookies 'sess1' and 'sess2' having the same ID.

I got around it by setting the session ID manually with 
session_id($_COOKIE['new_session']), after calling 
session_name('new_session') and before session_start()... but I was 
expecting PHP to handle this automatically...

So here is a proposal patch to de-allocate PS(id) when calling 
session_write_close(), in order to force session_start() to lookup the 
session ID from the session name:

--8<--
--- php-5.2.6.orig/ext/session/session.c        2008-04-29 
16:42:38.000000000 +0200
+++ php-5.2.6/ext/session/session.c     2008-06-27 18:29:05.000000000 
+0200
@@ -933,6 +933,11 @@
 
        if (PS(mod_data))
                PS(mod)->s_close(&PS(mod_data) TSRMLS_CC);
+
+       if (PS(id)) {
+               efree(PS(id));
+               PS(id) = NULL;
+       }
 }
 
 static char *month_names[] = {
-->8-- 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-11 15:57 UTC] jani@php.net
See also bug #45270
 [2008-11-13 16:45 UTC] jd at jdfitzgerald dot net
The problem I'm having is actually bug #45270, which the powers that be have decided to mark as bogus related to this one. I hope it doesn't fall by the wayside due to this (poor?) decision.

The work-around I've found is to ini_set('session.use_cookies',0) after the first session_start. This will stop any further set-cookie headers being sent after the first one, with no ill effects that I've noticed.
 [2008-11-17 09:14 UTC] ritenvs1987 at yahoo dot com
I am facing the same problem, cannot access sessions with different names on the same page.
 [2008-12-17 08:20 UTC] vijaybabur at mobiusservices dot in
I also facing the same problem (Different sessions in one page).
 [2009-04-21 14:28 UTC] jean-philippe dot goydadin at bsp dot ulaval dot ca
I've got the exact same problem, on my Linux/Apache/PHP Server AND my windows/Apache/PHP server.

If you follow the documentation, a call to session_write_close(), session_name('MyNewSession') and session_start() should be sufficient to switch from one session to another, but it's not the case.

Description:
------------
I want to open a existing session, read data in it, close it and then create a new session.

Reproduce code:
---------------
1) Call 'set_sess1.php' to set a session named 'sess1':

<?php
session_name('sess1');
session_start();
$session_id = session_id();
// Do some stuff in sess1
$_SESSION['sess1']='session1:'.$session_id;
// Print session content
echo 'Session 1:<br />';
print_r($_SESSION);
session_write_close();
?>

2) Try to access 'sess1' data first AND THEN to create 'sess2' in the same script in 'view_sess1_create_sess2.php':
<?php
ob_start();

// session_name('sess1');
session_start();
// Do some stuff in sess1
$_SESSION['mydata'] = 'new update in sess1';
// Print session content
echo 'Session 1:<br />';
print_r($_SESSION);
// Save data into sess1
session_write_close();


// Create sess2
session_name('sess2');
session_start();
$session_id = session_id();
// Do some stuff in sess2
$_SESSION['sess2']='session2:'.$session_id;
$_SESSION['mydata'] = 'new update in sess2';
// Print session content
echo '<br /><br />Session 2:<br />';
print_r($_SESSION);
session_write_close();

ob_end_flush() 
?>

Expected ouptut result:
-----------------------
Session 1:
Array ( [sess1] => session1:f0ed9cecd7a730784a9f6aed4c241887 
        [mydata] => new update in sess1 )

Session 2:
Array ( [sess2] => session1:db0c904dd716126ddfc8e3db30e1ddda
        [mydata] => new update in sess2 ) 

Expected Set-Cookie header (SID different from sess1):
------------------------------------------------------
Set-Cookie: sess2=db0c904dd716126ddfc8e3db30e1ddda; path=/


Actual output result:
---------------------
Session 1:
Array ( [sess1] => session1:f0ed9cecd7a730784a9f6aed4c241887 
        [mydata] => new update in sess1 )

Session 2:
Array ( [sess1] => session1:f0ed9cecd7a730784a9f6aed4c241887 
        [mydata] => new update in sess2 
	[sess2] => session2:f0ed9cecd7a730784a9f6aed4c241887 ) 

Actual Set-Cookie header (same SID as sess1):
---------------------------------------------
Set-Cookie: sess2=f0ed9cecd7a730784a9f6aed4c241887; path=/

So php dosn't close sess1 properly, so the session still have the same SID. The patch I found is to use session_regenerate_id(false) and some patch:
Patched code:
-------------
<?php
session_name('sess1');
session_start();
// Do some stuff in sess1
$_SESSION['mydata'] = 'new update before creating sess2';
// Save data into sess1
session_write_close();

// Create sess2 with sess1 id without resending a Set-Cookie header
// Resending a Set-Cookie header would create a cookie sess2=<sess1_id>
// Furthermore, if you don't do the session_start() here, session_regenerate_id 
// will have no effect
ini_set('session.use_cookies',0);
session_name('sess2');
session_start();
ini_set('session.use_cookies',1);

// Create a new genuine session id and do the actual session_id($new_sess_id) silently, 
// then send a cookie to the client with the new id sess2=<new_sess2_id>
$old_sess_id = session_id();
session_regenerate_id(false);
$new_sess_id = session_id();

echo '<br />old : ' . $old_sess_id;
echo '<br />new : ' . $new_sess_id;
?>
 [2009-04-21 14:33 UTC] jean-philippe dot goydadin at bsp dot ulaval dot ca
There is a mistake in my Expected ouptut result:
You should read session2 in the second array:
[sess2] => session2:db0c904dd716126ddfc8e3db30e1ddda
                  -

Thanks,
JP
 [2013-06-27 21:53 UTC] yohgaki@php.net
-Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: yohgaki
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 18:01:53 2014 UTC