|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46005 [PATCH] User not consistently logged under Apache2
Submitted: 2008-09-05 19:57 UTC Modified: 2008-12-18 14:35 UTC
Avg. Score:4.5 ± 0.8
Reproduced:11 of 11 (100.0%)
Same Version:11 (100.0%)
Same OS:7 (63.6%)
From: admorten at umich dot edu Assigned:
Status: Closed Package: Apache2 related
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
17 + 24 = ?
Subscribe to this entry?

 [2008-09-05 19:57 UTC] admorten at umich dot edu
The apache2 handler and filter strip the user (r->user) from the 
request if there's no Authorization header in the request. This breaks 
user logging for authorization filters like mod_auth_kerb, 
mod_authnz_ldap and mod_cosign, which do not use the Authorization 
header. The patches linked to below check to see r->user is set and 
ensures that the user remains attached to the request, which Apache2 
can then use to log the user properly.

This should fix the issues reported previously in bug #44631. The 
issue was partially fixed with the patch in bug #22672, but that patch 
continued to rely on Authorization headers, and was only applied to 
the apache2 handler.

Patches (apply to 5.2.6):


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-09-05 20:01 UTC] admorten at umich dot edu
Patch URLs got mangled. Shortened patch names:

 [2008-10-10 15:52 UTC] admorten at umich dot edu
I've updated both patches to use apr_pstrdup instead of estrdup when 
copying r->user into SG(request_info).auth_user, which is how the rest 
of the request info is copied. URLs are still the same.
 [2008-11-05 10:16 UTC] k at kelvinlim dot com
I encountered this bug as well, as our Apache configuration uses a custom single sign-on authentication module.

admorten's patches successfully resolved the issue--but only after I switched back to the use of estrdup.  apr_pstrdup does *not* work; instead, it causes my Apache processes (prefork MPM) to segfault.
 [2008-11-06 18:57 UTC] admorten at umich dot edu
Do you have a backtrace?
 [2008-12-17 11:09 UTC]
It should definitely be estrdup, since SAPI.c uses efree to free it.
 [2008-12-17 11:35 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

applied to 5.3+, thanks
 [2008-12-18 14:35 UTC]
And now also in PHP_5_2 branch. :)
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Dec 05 05:01:29 2023 UTC