php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #4670 Session_start() seems to localize session to a script.
Submitted: 2000-05-29 16:34 UTC Modified: 2000-05-29 19:34 UTC
From: arcon2600 at hotmail dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4.0.0 Release OS: Slackware Linux 7.0 2.2.15
Private report: No CVE-ID: None
 [2000-05-29 16:34 UTC] arcon2600 at hotmail dot com
Bug Description:
If you start a sesion in one script, and then follow a link to any other script or use header("Location: ") to redirect to another script, $PHPSESSION contains the previos session id, however session_start() creates and new session and session ID and passes it back to the browser.  The *only* way you can switch between pages is if you send
<META http-equiv="refresh" content="0;"> etc... then it seems to recreate the sesison fine.  (Don't even ask how I found that out, I was getting quite creative and desperate :P).  


Temporary Workaround:
(Untested beyond 2 pages, ie I may need to use session_register() to re-register the variables, I dunno)
Use the following to replace session_start() and session_register() on b.php....
<?PHP
$fpsession = fopen("/tmp/sess_$PHPSESSION","r");
$sessioninfo = "";
while (!feof($fpsession)) {
        $sessioninfo .= fgets($fpsession,1024);
}
session_decode($sessioninfo);
?>


Sample Code (2 files a.php, b.php, c.php):
(Tested with and without session_register() on b.php and c.php...)
---a.php---
<?PHP
session_start();
$temp = "asdf";
session_register("temp");
?>
<HTML><BODY>
<?PHP
echo(session_id() . "<BR>" . $temp);
?>
<BR>
<A HREF="b.php">go here</A>
</BODY></HTML>

---b.php---
<?PHP
session_start();
session_register("temp");
?>
<HTML><BODY>
<?PHP
echo(session_id() . "<BR>" . $temp . "<BR>" . $PHPSESSION);
?>
<BR>
<A HREF="c.php">go here</A>
</BODY></HTML>

---c.php---
<?PHP
session_start();
session_register("temp");
?>
<HTML><BODY><?PHP echo(session_id() . "<BR>" . $temp);?></BODY></HTML>



Configure command:
./configure --with-apxs=/var/lib/apache/sbin/apxs --with-config-file-path=/etc --enable-track-vars --enable-magic-quotes --enable-bcmath --enable-calendar --with-dom=/usr/local/lib --with-gettext --with-mhash=/usr/local --with-mysql --enable-url-includes --enable-sysvsem --enable-sysvshm --with-xml --enable-yp --enable-imap=/root/imap-4.7c  -disable-debug --enable-inline-optimization --enable-trans-sid



Php.ini:
[PHP]

;;;;;;;;;;;;;;;;;;;;
; Language Options ;
;;;;;;;;;;;;;;;;;;;;

engine		= On	; Enable the PHP scripting language engine under Apache
short_open_tag	= On	; allow the <? tag.  otherwise, only <?php and <script> tags are recognized.
asp_tags	= Off	; allow ASP-style <% %> tags
precision	= 14	; number of significant digits displayed in floating point numbers
y2k_compliance	= Off	; whether to be y2k compliant (will cause problems with non y2k compliant browsers)
output_buffering = Off	; Output buffering allows you to send header lines (including cookies)
			; even after you send body content, in the price of slowing PHP's
			; output layer a bit.
			; You can enable output buffering by in runtime by calling the output
			; buffering functions, or enable output buffering for all files
			; by setting this directive to On.
implicit_flush	 = Off	; Implicit flush tells PHP to tell the output layer to flush itself
			; automatically after every output block.  This is equivalent to
			; calling the PHP function flush() after each and every call to print()
			; or echo() and each and every HTML block.
			; Turning this option on has serious performance implications, and
			; is generally recommended for debugging purposes only.
allow_call_time_pass_reference	= Off	; whether to enable the ability to force arguments to be 
					; passed by reference at function-call time.  This method
					; is deprecated, and is likely to be unsupported in future
					; versions of PHP/Zend.  The encouraged method of specifying
					; which arguments should be passed by reference is in the
					; function declaration.  You're encouraged to try and
					; turn this option Off, and make sure your scripts work
					; properly with it, to ensure they will work with future
					; versions of the language (you will receive a warning
					; each time you use this feature, and the argument will
					; be passed by value instead of by reference).

; Safe Mode
safe_mode		=	Off
safe_mode_exec_dir	=
safe_mode_allowed_env_vars = PHP_	; Setting certain environment variables
					; may be a potential security breach.
					; This directive contains a comma-delimited
					; list of prefixes.  In Safe Mode, the
					; user may only alter environment
					; variables whose names begin with the
					; prefixes supplied here.
					; By default, users will only be able
					; to set environment variables that begin
					; with PHP_ (e.g. PHP_FOO=BAR).
					; Note:  If this directive is empty, PHP
					; will let the user modify ANY environment
					; variable!
safe_mode_protected_env_vars = LD_LIBRARY_PATH		; This directive contains a comma-
							; delimited list of environment variables,
							; that the end user won't be able to
							; change using putenv().
							; These variables will be protected
							; even if safe_mode_allowed_env_vars is
							; set to allow to change them.

; Colors for Syntax Highlighting mode.  Anything that's acceptable in <font color=???> would work.
highlight.string	=	#DD0000
highlight.comment	=	#FF8000
highlight.keyword	=	#007700
highlight.bg		=	#FFFFFF
highlight.default	=	#0000BB
highlight.html		=	#000000

; Misc
expose_php	=	On		; Decides whether PHP may expose the fact that it is installed on the
					; server (e.g., by adding its signature to the Web server header).
					; It is no security threat in any way, but it makes it possible
					; to determine whether you use PHP on your server or not.



;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;

max_execution_time = 30	; Maximum execution time of each script, in seconds (UNIX only)
memory_limit = 8388608	; Maximum amount of memory a script may consume (8MB)


;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error handling and logging ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; error_reporting is a bit-field.  Or each number up to get desired error reporting level
; E_ALL				- All errors and warnings
; E_ERROR			- fatal run-time errors
; E_WARNING			- run-time warnings (non fatal errors)
; E_PARSE			- compile-time parse errors
; E_NOTICE			- run-time notices (these are warnings which often result from a bug in
;					  your code, but it's possible that it was intentional (e.g., using an
;					  uninitialized variable and relying on the fact it's automatically
;					  initialized to an empty string)
; E_CORE_ERROR		- fatal errors that occur during PHP's initial startup
; E_CORE_WARNING	- warnings (non fatal errors) that occur during PHP's initial startup
; E_COMPILE_ERROR	- fatal compile-time errors
; E_COMPILE_WARNING	- compile-time warnings (non fatal errors)
; E_USER_ERROR		- user-generated error message
; E_USER_WARNING	- user-generated warning message
; E_USER_NOTICE		- user-generated notice message
; Examples:
; error_reporting = E_ALL & ~E_NOTICE				; show all errors, except for notices
; error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR	; show only errors
error_reporting	=	E_ALL & ~E_NOTICE		; Show all errors except for notices
display_errors	=	On	; Print out errors (as a part of the HTML script)
log_errors	=	Off	; Log errors into a log file (server-specific log, stderr, or error_log (below))
track_errors	=	Off	; Store the last error/warning message in $php_errormsg (boolean)
;error_prepend_string	= "<font color=ff0000>"   ; string to output before an error message
;error_append_string	= "</font>"                ; string to output after an error message
;error_log	=	filename	; log errors to specified file
;error_log	=	syslog		; log errors to syslog (Event Log on NT, not valid in Windows 95)
warn_plus_overloading	=	Off		; warn if the + operator is used with strings


;;;;;;;;;;;;;;;;;
; Data Handling ;
;;;;;;;;;;;;;;;;;
variables_order		= "EGPCS"	; This directive describes the order in which PHP registers
				; GET, POST, Cookie, Environment and Built-in variables (G, P,
				; C, E & S respectively, often referred to as EGPCS or GPC).
				; Registration is done from left to right, newer values override
				; older values.
register_globals	= On	; Whether or not to register the EGPCS variables as global
				; variables.  You may want to turn this off if you don't want
				; to clutter your scripts' global scope with user data.  This makes
				; most sense when coupled with track_vars - in which case you can
				; access all of the GPC variables through the $HTTP_*_VARS[],
				; variables.
register_argv_argc	= On	; This directive tells PHP whether to declare the argv&argc
				; variables (that would contain the GET information).  If you
				; don't use these variables, you should turn it off for
				; increased performance
track_vars		= On	; enable the $HTTP_*_VARS[] arrays, where * is one of
			 	; ENV, POST, GET, COOKIE or SERVER.
gpc_order		= "GPC"	; This directive is deprecated.  Use variables_order instead.
gpc_globals 		= On	; Make session variables global automagically.
gpc.globals		= On	; asdf
; Magic quotes
magic_quotes_gpc	= On	; magic quotes for incoming GET/POST/Cookie data
magic_quotes_runtime	= Off	; magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_sybase	= Off	; Use Sybase-style magic quotes (escape ' with '' instead of \')

; automatically add files before or after any PHP document
auto_prepend_file	=
auto_append_file	=

; As of 4.0b4, PHP always outputs a character encoding by default in
; the Content-type: header.  To disable sending of the charset, simply
; set it to be empty.
; PHP's built-in default is text/html
default_mimetype = "text/html"
;default_charset = "iso-8859-1"

;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;
include_path	= /var/lib/apache/php/include:./  ; UNIX: "/path1:/path2"  Windows: "\path1;\path2"
doc_root	=	; the root of the php pages, used only if nonempty
user_dir	=	; the directory under which php opens the script using /~username, used only if nonempty
;upload_tmp_dir	=	   ; temporary directory for HTTP uploaded files (will use system default if not specified)
upload_max_filesize	= 2097152       ; 2 Meg default limit on file uploads
extension_dir		= ./		; directory in which the loadable extensions (modules) reside


;;;;;;;;;;;;;;;;;;;;;;
; Dynamic Extensions ;
;;;;;;;;;;;;;;;;;;;;;;
; if you wish to have an extension loaded automaticly, use the
; following syntax:  extension=modulename.extension
; for example, on windows,
; extension=msql.dll
; or under UNIX,
; extension=msql.so
; Note that it should be the name of the module only, no directory information 
; needs to go here.  Specify the location of the extension with the extension_dir directive above.


;Windows Extensions
;extension=php_mysql.dll
;extension=php_nsmail.dll
;extension=php_calendar.dll
;extension=php_dbase.dll
;extension=php_filepro.dll
;extension=php_gd.dll
;extension=php_dbm.dll
;extension=php_mssql.dll
;extension=php_zlib.dll
;extension=php_filepro.dll
;extension=php_imap4r2.dll
;extension=php_ldap.dll
;extension=php_crypt.dll
;extension=php_msql2.dll
;extension=php_odbc.dll

;;;;;;;;;;;;;;;;;;;
; Module Settings ;
;;;;;;;;;;;;;;;;;;;

[Syslog]
define_syslog_variables	= Off	; Whether or not to define the various syslog variables,
				; e.g. $LOG_PID, $LOG_CRON, etc.  Turning it off is a
				; good idea performance-wise.  In runtime, you can define
				; these variables by calling define_syslog_variables()


[mail function]
;SMTP		= localhost		;for win32 only
;sendmail_from	= me@localhost.com	;for win32 only
sendmail_path	= /usr/bin/sendmail	;for unix only, may supply arguments as well (default is sendmail -t)

[Debugger]
debugger.host		= localhost
debugger.port		= 7869
debugger.enabled	= False

[Logging]
; These configuration directives are used by the example logging mechanism.
; See examples/README.logging for more explanation.
;logging.method    = db
;logging.directory = /path/to/log/directory

[SQL]
sql.safe_mode	=	Off

[ODBC]
;uodbc.default_db	=	Not yet implemented
;uodbc.default_user	=	Not yet implemented
;uodbc.default_pw	=	Not yet implemented
uodbc.allow_persistent	= On	; allow or prevent persistent links
uodbc.check_persistent  = On	; check that a connection is still validbefore reuse
uodbc.max_persistent	= -1	; maximum number of persistent links. -1 means no limit
uodbc.max_links		= -1	; maximum number of links (persistent+non persistent). -1 means no limit
uodbc.defaultlrl	= 4096	; Handling of LONG fields. Returns number of bytes to variables, 0 means passthru
uodbc.defaultbinmode	= 1	; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char
; See the documentation on odbc_binmode and odbc_longreadlen for an explanation of uodbc.defaultlrl
; and uodbc.defaultbinmode

[MySQL]
mysql.allow_persistent	= On	; allow or prevent persistent link
mysql.max_persistent	= -1	; maximum number of persistent links. -1 means no limit
mysql.max_links		= -1	; maximum number of links (persistent+non persistent).  -1 means no limit
mysql.default_port	=	; default port number for mysql_connect().  If unset,
				; mysql_connect() will use the $MYSQL_TCP_PORT, or the mysql-tcp
				; entry in /etc/services, or the compile-time defined MYSQL_PORT
				; (in that order).  Win32 will only look at MYSQL_PORT.
mysql.default_host	=	; default host for mysql_connect() (doesn't apply in safe mode)
mysql.default_user	=	; default user for mysql_connect() (doesn't apply in safe mode)
mysql.default_password	=	; default password for mysql_connect() (doesn't apply in safe mode)
				; Note that this is generally a *bad* idea to store passwords
				; in this file.  *Any* user with PHP access can run
				; 'echo cfg_get_var("mysql.default_password")' and reveal that
				; password!  And of course, any users with read access to this
				; file will be able to reveal the password as well.

[mSQL]
msql.allow_persistent	= On	; allow or prevent persistent link
msql.max_persistent	= -1	; maximum number of persistent links. -1 means no limit
msql.max_links		= -1	; maximum number of links (persistent+non persistent).  -1 means no limit

[PostgresSQL]
pgsql.allow_persistent		= On	; allow or prevent persistent link
pgsql.max_persistent		= -1	; maximum number of persistent links. -1 means no limit
pgsql.max_links			= -1	; maximum number of links (persistent+non persistent).  -1 means no limit

[Sybase]
sybase.allow_persistent		= On	; allow or prevent persistent link
sybase.max_persistent		= -1	; maximum number of persistent links. -1 means no limit
sybase.max_links		= -1	; maximum number of links (persistent+non persistent).  -1 means no limit
;sybase.interface_file		= "/usr/sybase/interfaces"
sybase.min_error_severity	= 10	; minimum error severity to display
sybase.min_message_severity	= 10	; minimum message severity to display
sybase.compatability_mode	= Off	; compatability mode with old versions of PHP 3.0.
					; If on, this will cause PHP to automatically assign types to results
					; according to their Sybase type, instead of treating them all as
					; strings.  This compatability mode will probably not stay around
					; forever, so try applying whatever necessary changes to your code,
					; and turn it off.

[Sybase-CT]
sybct.allow_persistent		= On	; allow or prevent persistent link
sybct.max_persistent		= -1	; maximum number of persistent links. -1 means no limit
sybct.max_links			= -1	; maximum number of links (persistent+non persistent).  -1 means no limit
sybct.min_server_severity	= 10	; minimum server message severity to display
sybct.min_client_severity	= 10	; minimum client message severity to display

[bcmath]
bcmath.scale	=	20	; number of decimal digits for all bcmath functions

[browscap]
;browscap	=	extra/browscap.ini

[Informix]
ifx.default_host	=	; default host for ifx_connect() (doesn't apply in safe mode)
ifx.default_user	=	; default user for ifx_connect() (doesn't apply in safe mode)
ifx.default_password	=	; default password for ifx_connect() (doesn't apply in safe mode)
ifx.allow_persistent	= On	; allow or prevent persistent link
ifx.max_persistent	= -1	; maximum number of persistent links. -1 means no limit
ifx.max_links		= -1	; maximum number of links (persistent+non persistent).  -1 means no limit
ifx.textasvarchar	= 0	; if set on, select statements return the contents of a text blob instead of it's id
ifx.byteasvarchar	= 0	; if set on, select statements return the contents of a byte blob instead of it's id
ifx.charasvarchar	= 0	; trailing blanks are stripped from fixed-length char columns. May help the life
			 	; of Informix SE users. 
ifx.blobinfile		= 0	; if set on, the contents of text&byte blobs are dumped to a file instead of
				; keeping them in memory
ifx.nullformat		= 0	; NULL's are returned as empty strings, unless this is set to 1. In that case,
				; NULL's are returned as string 'NULL'.

[Session]
session.save_handler	  = files   ; handler used to store/retrieve data
session.save_path	  = /tmp    ; argument passed to save_handler
                                    ; in the case of files, this is the
                                    ; path where data files are stored
session.use_cookies       = 1       ; whether to use cookies
session.name              = PHPSESSION  
                                    ; name of the session
                                    ; is used as cookie name
session.auto_start        = 0       ; initialize session on request startup
session.cookie_lifetime   = 0       ; lifetime in seconds of cookie
                                    ; or if 0, until browser is restarted
session.cookie_path       = /       ; the path the cookie is valid for
session.cookie_domain     =         ; the domain the cookie is valid for
session.serialize_handler = php     ; handler used to serialize data
                                    ; php is the standard serializer of PHP
session.gc_probability    = 1       ; percentual probability that the 
                                    ; 'garbage collection' process is started
                                    ; on every session initialization
session.gc_maxlifetime    = 900     ; after this number of seconds, stored
                                    ; data will be seen as 'garbage' and
                                    ; cleaned up by the gc process
session.referer_check     = 0       ; check HTTP Referer to invalidate 
                                    ; externally stored URLs containing ids
session.entropy_length    = 0       ; how many bytes to read from the file
session.entropy_file      =         ; specified here to create the session id
; session.entropy_length  = 16
; session.entropy_file    = /dev/urandom
session.cache_limiter     = nocache ; set to {nocache,private,public} to
                                    ; determine HTTP caching aspects
session.cache_expire      = 180     ; document expires after n minutes

[MSSQL]
;extension=php_mssql.dll
mssql.allow_persistent		= On	; allow or prevent persistent link
mssql.max_persistent		= -1	; maximum number of persistent links. -1 means no limit
mssql.max_links			= -1	; maximum number of links (persistent+non persistent).  -1 means no limit
mssql.min_error_severity	= 10	; minimum error severity to display
mssql.min_message_severity	= 10	; minimum message severity to display
mssql.compatability_mode	= Off	; compatability mode with old versions of PHP 3.0.

[Assertion]
;assert.active		= On	; assert(expr); active by default
;assert.warning		= On	; issue a PHP warning for each failed assertion.
;assert.bail		= Off	; don't bail out by default.
;assert.callback	= 0	; user-function to be called if an assertion fails.
;assert.quiet_eval	= 0	; eval the expression with current error_reporting().
				; set to true if you want error_reporting(0) around the eval().

[Zend]
zend_optimizer.optimization_level=7
zend_extension="/usr/local/Zend/lib/ZendOptimizer.so"

; Local Variables:
; tab-width: 4
; End:


Thanks,
Adam Bregenzer

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-05-29 19:34 UTC] arcon2600 at hotmail dot com
Ok, so my previous comments were off.  I took a look at session.c and
tied my previous trouble with sessions only working with a meta re-direct. 
I tried setting session.referer_check = 0 and that didn't help.  I just looked
at the code again and noticed that it only checks to see if it's null, not to see
if it's 1 or 0.  After setting session.referer_check =
it  workled fine.  So now this bug is closed and I'll check and see if the referer
bit is my problem or not.....

Thanks,
Adam

 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Feb 01 02:03:46 2023 UTC