php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #54534 Sessions fail when running PHP as multiple users
Submitted: 2011-04-14 16:29 UTC Modified: 2011-04-20 09:27 UTC
From: fredrik at dolda2000 dot com Assigned:
Status: Wont fix Package: Session related
PHP Version: trunk-SVN-2011-04-14 (snap) OS: Debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-04-14 16:29 UTC] fredrik at dolda2000 dot com 
Description:
------------
I'm running a website on which PHP runs as multiple different users on the 
operating system, and I'm encountering problems when a visitor to the site goes 
from a part where PHP runs as one user to another part where PHP runs as another 
user.

Since PHP saves all sessions in one directory, it will attempt to load the same 
session data as long as the visitor uses the same SID. When the session was 
created by one user, it cannot be loaded by another. That is of course, in 
itself, as it should.

I would argue, however, that the session filenames should contain the UID of the 
user running PHP, so as to remove such conflicts. The resultant behavior is 
probably reasonable, as the different users running PHP will most likely not want 
to share session data with each other.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-19 08:31 UTC] aharvey@php.net
-Status: Open +Status: Wont fix
 [2011-04-19 08:31 UTC] aharvey@php.net 
You can already handle this corner case with a custom session handler. I don't think it's a common enough problem in practice to justify changing the long-standing behaviour of PHP's default session handler.
 [2011-04-20 03:10 UTC] srinatar@php.net 
Honestly, I don't think this is a corner case. Also considering that the submitter has filed the bug against trunk - should we not give a due consideration to see if this can be addressed ?

IMO, closing a bug in haste will only cause couple of duplicate bugs to be opened on the very same subject causing overhead for both the bug submitter as well as for the evaluators. 

Moving it to a feedback status allows an opportunity for the bug submitter to explain further providing a chance for every one to make a right decision on a given issue. - Just my 2c thought..
 [2011-04-20 03:19 UTC] fredrik at dolda2000 dot com 
Are the precise filenames used an important part of this long-standing behavior?
 [2011-04-20 09:27 UTC] scottmac@php.net 
Why would you have two sites on the same domain use the same session id if they're 
considered different?

Call session_name() at the top of your code with a new value problem solved.
Conversely call umask() and let your sessions be shared across users.

We can't change the format of the name easily since a PHP upgrade would invalidate 
all the sessions that already exist.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 21:01:28 2024 UTC