php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52018 Probable cookie problem with 5.3.2
Submitted: 2010-06-07 21:47 UTC Modified: 2013-02-18 00:34 UTC
Votes:5
Avg. Score:5.0 ± 0.0
Reproduced:3 of 5 (60.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: nospam at nospam dot homelinux dot org Assigned:
Status: No Feedback Package: HTTP related
PHP Version: 5.3.2 OS: Linux Debian 5.0.4
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-06-07 21:47 UTC] nospam at nospam dot homelinux dot org
Description:
------------
There seems to be a problem with PHP 5.3.2: cookies are not working properly in some cases, for example when running PhpBB 3.0.5 (and probably other versions also).

The reason **seems** to be that the $_COOKIE super global variable is not always populated with received cookies, and the most visible effect is that the users of my phpBB forum are not able to use the “automatic logon” feature of phpBB.

However, a simple test case with the setcookie function works properly, so I don’t know exactly what kind of cookie can trigger the bug.

Downgrading to phpBB 5.2.13 or lower effectively fix the problem.

I made multiple tries, using either 5.2.6, 5.2.13 or 5.3.2, either compiled by myself or installed from Debian packages, with or without the Debian security patches, while keeping the same php.ini configuration in all cases, and the result was always the same:
- with 5.2.6 or 5.2.13, cookies are handled properly, and phpBB users can use the phpBB's automatic “automatic logon” feature.
- with 5.3.2, cookies seem to be blocked, $_COOKIE is not populated (except maybe by as many empty strings as the number of expected cookies).

The server also uses Apache 2.2.9 and MySQL 5.1.46, and I tried on two different Debian 5.0.4 configurations, one as 32 bits at my home and one as 64 bits in a datacenter.

I used Wireshark for network sniffing, so I can tell that cookies are truely present in HTTP headers.

I tracked the $_COOKIE variable by adding a "error_log(print_r($_COOKIE, true))" instruction near the beginning of the phpBB common code.

Test script:
---------------
I'm sorry, I don't know how to make a short test script showing the problem. I tried a short test with setcookie but it worked properly, even with 5.3.2. I suppose that there are some combined interactions within phpBB triggering this problem when they happen altogether.

The only procedure that I can suggest is the following:

- Install a phpBB server (download from http://www.php.net/) with the default configuration.
- Create a user account with any name.
- Try to login on this account. Don't forget to check the "Log me on automatically each visit" option when login.
- Browse a little inside the forum, check that the connexion is kept by session ID.
- Quit your browser, closing all of its Windows.
- Reopen the browser, and open again the phpBB forum. Use the root address of the forum, without the session ID parameter.


Expected result:
----------------
When opening the forum homepage, login should be already made, kept from previous session.
This is what happens with 5.2.6 or 5.2.13.


Actual result:
--------------
Forum open correctly, but previous login is completely forgotten.
This is what happens with 5.3.2.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-08 07:54 UTC] philip@php.net
-Status: Open +Status: Feedback
 [2010-06-08 07:54 UTC] philip@php.net
Maybe you can reproduce by isolating the phpBB "automatic logon" feature? Do the 
phpBB people have any ideas? I suspect they'd do a more efficient job finding this 
bug.
 [2010-06-08 13:05 UTC] nospam at nospam dot homelinux dot org
-Status: Feedback +Status: Open
 [2010-06-08 13:05 UTC] nospam at nospam dot homelinux dot org
Isolating the phpBB "automatic logon" feature would likely be a long and complex task, as I haven't deeply studied its code.
I already opened a topic on the phpBB forum about 10 days ago, I just added an update to it.
http://www.phpbb.com/community/viewtopic.php?t=2092537

Gingko
 [2010-06-14 00:31 UTC] dklanac at gmail dot com
Correction.  My local PHP version whose cookies work properly is 5.3.1.
 [2010-08-16 04:57 UTC] kalle@php.net
-Status: Open +Status: Feedback
 [2010-08-16 04:57 UTC] kalle@php.net
Does it happen with 5.3.3? Which SAPI are you using? And do you have an example of the HTTP requests/responses where you clearly can see there is cookies and $_COOKIE still is empty?
 [2013-02-18 00:34 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Mon Apr 21 02:02:11 2014 UTC