php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45939 Session empty inside SSH tunnel
Submitted: 2008-08-28 03:48 UTC Modified: 2008-09-01 02:09 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: robemail at gmail dot com Assigned:
Status: Closed Package: Session related
PHP Version: 5.2.6 OS: XP
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: robemail at gmail dot com
New email:
PHP Version: OS:

 

 [2008-08-28 03:48 UTC] robemail at gmail dot com
Description:
------------
Have a php page on a linux web server.
Access it publicly, over the internet, in XP with MS IE, and all is ok:
You see:

AmazingBob.

If you use plink, or any ssh tunneling software, to establich an SSH tunnel, and access the page via a redirected port, you only get:

Bob

Somehow the includes or the $_SESSION vars are all empty.

(This may not be a bug if I missed something, but please tell me! like - should I call session_start prior to includes to get it to work?)

Reproduce code:
---------------
<?php 
header("Cache-Control: no-cache, must-revalidate");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

// set up session vars in includes
include('this_file.php');
include('that_file.php');

// Setup the sessions
session_start();

//get the url param
$urlparam = $_GET['myparam'];
//if the include set up $_SESSION[SsessionVar] to 
//be the string "Amazing"
$newvar = $_SESSION[SsessionVar]$urlparam;
echo '$newvar';
//To see good results (AmazingBob) call this with 
//http://1.1.1.1/thepage.php?myparam=Bob
//To see problem, call the web page after setting up ssh tunnel as
//http://localhost:8080/thepage.php?myparam=Bob
?>


Expected result:
----------------
AmazingBob

Actual result:
--------------
Bob

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-08-28 11:14 UTC] robemail at gmail dot com
1. I meant to tell you that the linux web server is Apache.
2. And that the function that consumes the concatenated session and user variable is in one of the include files.

Also, I tried putting the start_session first, still no joy.

I also tried placing the php in an html formated page, ie placing the basic html/header/body tags around the php code...still no joy.
 [2008-08-28 21:10 UTC] jani@php.net
First you have to provide a proper reproducing script. 
One that is:
a) self-contained (NO INCLUDES!)
b) works without errors, warnings or notices. Set error_reporting = E_ALL and display_errors = on to make sure your script does not cause any error messages.
 [2008-09-01 02:09 UTC] robemail at gmail dot com
Well, - 

a. I can't have a self contained bug recreation script as the bug is based on the session vars being consumed in an 'included' function..
b. there are no errors. 

I know you guys are all doing this 'pro-bono' but why add such statements without reading the bug to begin with? Common sense would brings us a long way forward faster. 

If I were to have received the amount of information that was provided in this report, I would have been able to do somethign with it. It behooves yourselves to think out side of the box for these sorts of things.

And that's exactly what I did... and found the fix to the problem.

The problem is not with PHP at all.

The problem is that if your php script attempts to log you into a domain, prior to allowing access to $_SESSION wariables (good o'  chekhov from clasic Star-Trek haha) Your user id must belong to that domain.  If you have an open SSH tunnel, the domain is usually localhost, unless you have a an entry in the hosts file for the remote domain to 'fool' the with the URL to allow you to access the URL with the remote domain, rather than localhost. With that in place the URL call is successful, and session variables are available to you.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Feb 05 18:03:43 2023 UTC