|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50424 PHPSESSID being exposed in code even if trans.sid is set or not
Submitted: 2009-12-09 10:19 UTC Modified: 2009-12-17 01:00 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: donauinsel at hotmail dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 5.2.12RC3 OS: Windows 2003
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2009-12-09 10:19 UTC] donauinsel at hotmail dot com
On Windows 2003 it seems, that PHPSESSID is exposed into HTML Code even if session.use_trans_sid is set or not (but it should be disabled by deefault). PHPSESSID going into all links so url rewriter tags seems to be skipped for some reason. This behavior happens while useing ISAPI mode. 

Reproduce code:
I cannot give enough information for reproducable code but it seems to happen when using a template engine which EVAL's the template.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-12-09 10:59 UTC]
Exactly what PHP version are you using? What does phpinfo() say about the session settings?
 [2009-12-09 11:31 UTC] donauinsel at hotmail dot com
5.2.12RC3-dev or 5.2.12RC4-dev latest Snap.

Session from PHPINFO says:

Session Support 	enabled
Registered save handlers 	files user
Registered serializer handlers 	php php_binary wddx

Directive	Local Value	Master Value
session.auto_start	Off	Off
session.bug_compat_42	Off	Off
session.bug_compat_warn	On	On
session.cache_expire	180	180
session.cache_limiter	nocache	nocache
session.cookie_domain	no value	no value
session.cookie_httponly	Off	Off
session.cookie_lifetime	0	0
session.cookie_path	/	/
session.cookie_secure	Off	Off
session.entropy_file	no value	no value
session.entropy_length	0	0
session.gc_divisor	1000	1000
session.gc_maxlifetime	1440	1440
session.gc_probability	1	1
session.hash_bits_per_character	5	5
session.hash_function	0	0	PHPSESSID	PHPSESSID
session.referer_check	no value	no value
session.save_handler	files	files
session.save_path	c:/scantemp	c:/scantemp
session.serialize_handler	php	php
session.use_cookies	On	On
session.use_only_cookies	Off	Off
session.use_trans_sid	0	0
 [2009-12-09 11:36 UTC] donauinsel at hotmail dot com
You can close this; i found the problem to be eqacellerator which causes the PHPSESSID to be in code everywhere. I disabled eacellerator and it works so far !

Thank you very much.
 [2009-12-09 11:41 UTC] donauinsel at hotmail dot com
Sorry - reopen :-) It looks so but after checking again - EAC was not the problem. The problem still persists.
 [2009-12-17 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 23 01:01:29 2024 UTC