php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59069 Session handler unexpected behavior on empty ID strings
Submitted: 2010-02-10 07:49 UTC Modified: 2021-03-25 16:28 UTC
Votes:21
Avg. Score:3.8 ± 0.9
Reproduced:19 of 20 (95.0%)
Same Version:5 (26.3%)
Same OS:5 (26.3%)
From: bugs at prieser dot net Assigned: cmb (profile)
Status: Closed Package: memcache (PECL)
PHP Version: 5_3.1RC2 OS: Debian/Ubuntu
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugs at prieser dot net
New email:
PHP Version: OS:

 

 [2010-02-10 07:49 UTC] bugs at prieser dot net
Description:
------------
Found this behavior on a productive System:
User calls URI with empty SID parameter like this: 
test.php?mySID=
php / memcache spits out warnings and session functionality is not available on this page (write doesn't work).

Standard PHP files session handler handles this error by generating a new id and uses the new one to write session data and sends a cookie with the new id.

memcache session handler used to throw a ugly warning. Since 3.0.4 it just ignores the problem. Leaves developers alone with probably messed up pages.

Instead of ignoring the issue memcache should generate a new id and use it just like the standard files handler would do.


Versions:
 PHP: from 5.2.6 to 5.3.1 stable
 memcache: all from 2.2.5 to 3.0.4

 tested on lighttpd with php-cgi

php.ini changes:
 session.save_handler = memcache
 session.save_path = "tcp://localhost:11211"
 session.use_only_cookies = 0


Reproduce code:
---------------
<?
  session_name('mySID');

  session_start();
  echo session_name()."=".session_id()."<br>\n";

  $_SESSION['count']++;
  var_dump($_SESSION);



workaround: 
<?
  session_name('mySID');

  if ($_GET[session_name()] == "") unset($_GET[session_name()]);

  session_start();
  echo session_name()."=".session_id()."<br>\n";

  $_SESSION['count']++;
  var_dump($_SESSION);

Expected result:
----------------
A new generated Session_id on every reguest for 'test.php?mySID='
if client disabled cookies.

Actual result:
--------------
Empty Session_id and no write of session data.
On older memcache versions (<3.0.3) PHP Warnings and Errors like: 

Warning: Unknown: Failed to write session data (memcache). Please verify that the current setting of session.save_path is correct (tcp://localhost:11211) in Unknown on line 0

Warning: session_start() [function.session-start]: Key cannot be empty in /var/www/index.php on line 4



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-25 16:28 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-03-25 16:28 UTC] cmb@php.net
The official bug tracker for PECL/memcache is now at
<https://github.com/websupport-sk/pecl-memcache/issues>.

So, if this is still an issue with either of the current memcache
versions (4 or 8), please file an issue there.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 08:01:27 2024 UTC