php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #5360 Session not holding over.
Submitted: 2000-07-04 17:33 UTC Modified: 2001-10-28 10:43 UTC
From: thomas at neweve dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4.0.1pl2 OS: Red Hat Linux 6.1
Private report: No CVE-ID: None
 [2000-07-04 17:33 UTC] thomas at neweve dot com
This is a baffling problem. Perhaps I'm doing something wrong but I believe I'm doing everything correct.

Here is an example script of what I'm talkinng about please save this in a file called "login.phtml" or change the FORM tag to reflect the filename you choose.:

-----
<?
	session_start();

if ($login) {

	echo "Posted Variable (echo \$PHPSESSID): " . $PHPSESSID . "<BR>";
	//session_id($PHPSESSID);
	echo "session started (echo session_id()): " . session_id() . "<BR>";

	session_register("user","pass");
	echo "Variable Registered in session (echo session_id()): " . session_id() . "<BR>";

}

?><HTML>
<HEAD>
<TITLE>Login Testing</TITLE>
</HEAD>

<BODY BGCOLOR=#FFFFFF>
<BR><BR>
Session display using "echo SID;":<? echo SID; ?><BR><BR>

<FORM METHOD=POST ACTION="login.phtml">
form field populated using &lt;? echo session_id(); ?&gt;<BR>
Posting Variable: PHPSESSID: <INPUT TYPE=TEXT NAME="PHPSESSID" VALUE="<? echo session_id(); ?>" WIDTH=50><BR>
USER: <INPUT TYPE="text" NAME="user"><BR>
PASS: <INPUT TYPE="text" NAME="pass"><BR>
<INPUT TYPE=SUBMIT VALUE="login" NAME="login"><BR>
</FORM>

</BODY>
</HTML>
----

In this example, when session_start() is called, a new session variable is created. If I you uncomment the line that forces the session ID back to what it should be, the variables get registered in the proper session but when you  echo SID it reverts to the previous session and the $PHPSESSID is updated also to the new, incorrect, session.  This was done by testing under an SSL connection because this is where I need to use it.

The installation is Apache 1.3.12+mod_ssl

One Curious thing:

If I change it the method to GET then this is what happens. at the first initialization of the session it creates it, then when you submit the form, a new session is created. But every post after that retains the session ID.  Will this only work via the GET method? I sincerely hope not because I need to keep the password hidden.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-07-07 19:59 UTC] thomas at neweve dot com
I've tried this with IE and Netscape and it doesn't work:

http://216.235.251.8/login.phtml

TO USE: Initially you can just enter in anything you want. It will post to itself, the session is started and the phpsessid variable is blank.

Then put anything else in the user and password fields and submit again. You'll see the phpsessid populated with the previous ID but when the session_start is called, a new ID is created and in the middle when I echo SID; it displays the string.  The SID macro is working and outputing information even though the cookie is being set, contrary to the
documentation.

How do I know that the cookie is being set?  Well, I look in my cookies.txt file and find the cookie listed. (some may need to quit the browser before seeing the cookie in the file).
 [2000-07-27 21:04 UTC] waldschrott@php.net
reading the manual, php sessions support
a) GET
b) cookies

but if you want to use POST you can extract that post_var on another page and use session_name() then

read the manual on "session handling"
 [2001-10-28 10:43 UTC] jeroen@php.net
POST is also supported. If you enable transparent-session-id propagation, PHP will include a <input type=hidden> with the session name and id, and thus will work with both POST and GET.

Where in the manual does it say that post isn't supported?

See 13841 for future updates about this problem, because it seems it's the same problem after all.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 12:01:27 2024 UTC