php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59069 Session handler unexpected behavior on empty ID strings
Submitted: 2010-02-10 07:49 UTC Modified: -
Votes:21
Avg. Score:3.8 ± 0.9
Reproduced:19 of 20 (95.0%)
Same Version:5 (26.3%)
Same OS:5 (26.3%)
From: bugs at prieser dot net Assigned:
Status: Open Package: memcache (PECL)
PHP Version: 5_3.1RC2 OS: Debian/Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bugs at prieser dot net
New email:
PHP Version: OS:

 

 [2010-02-10 07:49 UTC] bugs at prieser dot net
Description:
------------
Found this behavior on a productive System:
User calls URI with empty SID parameter like this: 
test.php?mySID=
php / memcache spits out warnings and session functionality is not available on this page (write doesn't work).

Standard PHP files session handler handles this error by generating a new id and uses the new one to write session data and sends a cookie with the new id.

memcache session handler used to throw a ugly warning. Since 3.0.4 it just ignores the problem. Leaves developers alone with probably messed up pages.

Instead of ignoring the issue memcache should generate a new id and use it just like the standard files handler would do.


Versions:
 PHP: from 5.2.6 to 5.3.1 stable
 memcache: all from 2.2.5 to 3.0.4

 tested on lighttpd with php-cgi

php.ini changes:
 session.save_handler = memcache
 session.save_path = "tcp://localhost:11211"
 session.use_only_cookies = 0


Reproduce code:
---------------
<?
  session_name('mySID');

  session_start();
  echo session_name()."=".session_id()."<br>\n";

  $_SESSION['count']++;
  var_dump($_SESSION);



workaround: 
<?
  session_name('mySID');

  if ($_GET[session_name()] == "") unset($_GET[session_name()]);

  session_start();
  echo session_name()."=".session_id()."<br>\n";

  $_SESSION['count']++;
  var_dump($_SESSION);

Expected result:
----------------
A new generated Session_id on every reguest for 'test.php?mySID='
if client disabled cookies.

Actual result:
--------------
Empty Session_id and no write of session data.
On older memcache versions (<3.0.3) PHP Warnings and Errors like: 

Warning: Unknown: Failed to write session data (memcache). Please verify that the current setting of session.save_path is correct (tcp://localhost:11211) in Unknown on line 0

Warning: session_start() [function.session-start]: Key cannot be empty in /var/www/index.php on line 4



Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Aug 19 02:01:28 2019 UTC