|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49326 output_buffering can break unsecure transparent automatic SID adding
Submitted: 2009-08-21 21:46 UTC Modified: 2013-02-18 00:33 UTC
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: k dot triendl at m-box dot at Assigned:
Status: No Feedback Package: Session related
PHP Version: 5.2.10 OS: windows xp sp3
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2009-08-21 21:46 UTC] k dot triendl at m-box dot at
If output_buffering is set to 4096 and session.use_trans_sid is used, the output may be broken:

<a href="index.php"?PHPSESSID=fa562d5bb14df890e6db68627ea76442>

I've found that the same bug was reported in 2003 for php-4.3.8 (which was fixed back then) and filed under #29333:
The problem is reproducable with the code that Alan has still on his website.

I hope it's ok to refer to bug #29333.

Reproduce code:
As described in #29333

Expected result:
As described in #29333

Actual result:
As described in #29333


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-04 11:41 UTC]
Please provide a proper test case which does not have any external requirements.
 [2009-09-15 14:41 UTC] k dot triendl at m-box dot at
Reproduce code:
I've prepared a test case without external requirements:

phpbug_49326.php.txt is the php script, remove the .txt extension; is the file included by the php script.
Be sure to set 'output_buffering' to 4096 in the php.ini or the .htaccess file.

Expected result:
correct link to 'Impressum':
<a href="imprint.m-box?setmgrname=mboxobj&amp;fcardid=4&amp;reffcardid=3&amp;PHPSESSID=bouq4a3sddqfeqp4hrobr4bur0>Impressum</a>

Actual result:
incorrect link to 'Impressum':
<a href="imprint.m-box?setmgrname=mboxobj&amp;fcardid=4&amp;reffcardid=3"?PHPSESSID=bouq4a3sddqfeqp4hrobr4bur0>Impressum</a>
 [2009-09-16 08:02 UTC]
You should really add the SID "manually" anyway, using 
session.use_trans_sid should be avoided always when your site is 
anything else but some intranet. (might be fixed, propably won't be 
 [2009-09-18 14:07 UTC] k dot triendl at m-box dot at
Well, this is no satisfactory answer, I feel.

There are situations where cookies can't be used; cookies are bound to a path. If one sets them for the root '/' then the session information is valid for the whole path. No other session can be created without destroying the old one. Users wouldn't be able to login into different databases at the same time or with different user credentials.
Also, I don't see so much the security risk with SIDs in URLs as information via our application is read-only to the public and will be changed only in intranets. Additionally, sessions are time-limited.

No matter the security risks it should be up to the application to decide whether it matters or not. Cookies have their own flaws.
PHP offers the feature to append the SID automatically and therefore I'm urging that this bug gets fixed (php 5.3.x might have the same bug), otherwise the feature should be deprecated.

Adding the SID manually is a tedious and error-prone work.
 [2012-03-29 09:25 UTC]
Please try using this snapshot:
For Windows:

 [2012-03-29 09:25 UTC]
-Status: Open +Status: Feedback
 [2013-02-18 00:33 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Feb 24 07:01:28 2024 UTC