|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45939 Session empty inside SSH tunnel
Submitted: 2008-08-28 03:48 UTC Modified: 2008-09-01 02:09 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: robemail at gmail dot com Assigned:
Status: Closed Package: Session related
PHP Version: 5.2.6 OS: XP
Private report: No CVE-ID: None
 [2008-08-28 03:48 UTC] robemail at gmail dot com
Have a php page on a linux web server.
Access it publicly, over the internet, in XP with MS IE, and all is ok:
You see:


If you use plink, or any ssh tunneling software, to establich an SSH tunnel, and access the page via a redirected port, you only get:


Somehow the includes or the $_SESSION vars are all empty.

(This may not be a bug if I missed something, but please tell me! like - should I call session_start prior to includes to get it to work?)

Reproduce code:
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

// set up session vars in includes

// Setup the sessions

//get the url param
$urlparam = $_GET['myparam'];
//if the include set up $_SESSION[SsessionVar] to 
//be the string "Amazing"
$newvar = $_SESSION[SsessionVar]$urlparam;
echo '$newvar';
//To see good results (AmazingBob) call this with 
//To see problem, call the web page after setting up ssh tunnel as

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-08-28 11:14 UTC] robemail at gmail dot com
1. I meant to tell you that the linux web server is Apache.
2. And that the function that consumes the concatenated session and user variable is in one of the include files.

Also, I tried putting the start_session first, still no joy.

I also tried placing the php in an html formated page, ie placing the basic html/header/body tags around the php code...still no joy.
 [2008-08-28 21:10 UTC]
First you have to provide a proper reproducing script. 
One that is:
a) self-contained (NO INCLUDES!)
b) works without errors, warnings or notices. Set error_reporting = E_ALL and display_errors = on to make sure your script does not cause any error messages.
 [2008-09-01 02:09 UTC] robemail at gmail dot com
Well, - 

a. I can't have a self contained bug recreation script as the bug is based on the session vars being consumed in an 'included' function..
b. there are no errors. 

I know you guys are all doing this 'pro-bono' but why add such statements without reading the bug to begin with? Common sense would brings us a long way forward faster. 

If I were to have received the amount of information that was provided in this report, I would have been able to do somethign with it. It behooves yourselves to think out side of the box for these sorts of things.

And that's exactly what I did... and found the fix to the problem.

The problem is not with PHP at all.

The problem is that if your php script attempts to log you into a domain, prior to allowing access to $_SESSION wariables (good o'  chekhov from clasic Star-Trek haha) Your user id must belong to that domain.  If you have an open SSH tunnel, the domain is usually localhost, unless you have a an entry in the hosts file for the remote domain to 'fool' the with the URL to allow you to access the URL with the remote domain, rather than localhost. With that in place the URL call is successful, and session variables are available to you.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Feb 05 18:03:43 2023 UTC