php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68015 Session does not report invalid uid for files save handler
Submitted: 2014-09-12 20:44 UTC Modified: 2016-09-09 02:30 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: rmoisto at gmail dot com Assigned: yohgaki
Status: Closed Package: Session related
PHP Version: 5.5.16 OS: Ubuntu 12 x64
Private report: No CVE-ID:
 [2014-09-12 20:44 UTC] rmoisto at gmail dot com
Description:
------------
I have a tiny cli script that accepts a session id as a command line argument. It's job is to fetch that session and print it out.

Since upgrading to PHP 5.5.16 the $_SESSION variable is always empty. It did work before.

Test script:
---------------
<?php
session_id($argv[1]);
session_start();
var_dump($_SESSION);

Expected result:
----------------
$_SESSION is an array filled with session information.

Actual result:
--------------
$_SESSION is an empty array.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-03 03:43 UTC] yohgaki@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: yohgaki
 [2015-02-03 03:43 UTC] yohgaki@php.net
It seems working now. Do you still have this issue?

[yohgaki@dev PHP-5.5]$ cat t1.php
<?php
session_id($argv[1]);
session_start();
var_dump($_SESSION);
$_SESSION['test']=time();
[yohgaki@dev PHP-5.5]$ ./php-bin -d session.use_strice_mode=0 t1.php 21345
array(1) {
  ["test"]=>
  int(1422934949)
}
[yohgaki@dev PHP-5.5]$ ./php-bin -d session.use_strice_mode=0 t1.php 21345
array(1) {
  ["test"]=>
  int(1422934964)
}
 [2015-02-03 21:17 UTC] rmoisto at gmail dot com
The problem is still present.

Output of "php -v":
PHP 5.5.18-1+deb.sury.org~precise+1 (cli) (built: Oct 17 2014 15:11:34)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
    with Zend OPcache v7.0.4-dev, Copyright (c) 1999-2014, by Zend Technologies


I've updated my test script:
<?php
session_id($argv[1]);
session_start();
echo file_get_contents('/var/lib/php5/sessions/sess_' . $argv[1]) . PHP_EOL;
var_dump($_SESSION);
var_dump(session_id());
var_dump(session_save_path());

Which outputs:
(actual data in the session file, too much of it to paste here)
array(0) {
}
string(26) "l8lrlpo9t36guik6m8h04lnaa6"
string(22) "/var/lib/php5/sessions"


The assumption that a CLI script is filling the session is false.
It is filled by fpm that is used by the web server (nginx).
 [2015-02-15 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2015-02-15 07:48 UTC] requinix@php.net
-Status: No Feedback +Status: Open
 [2015-05-24 06:28 UTC] yohgaki@php.net
-Status: Assigned +Status: Not a bug
 [2015-05-24 06:28 UTC] yohgaki@php.net
I think you have use_strict_mode = On in you php.ini
Look for "php -i" output if it is disabled.

session.use_strict_mode => Off => Off

Unless you disable it, new session ID is always created and used, rather than supplied session ID. Feel free to reopen is you have issue with use_strict_mode=Off.
 [2015-05-24 16:06 UTC] rmoisto at gmail dot com
I have

session.use_strict_mode = 0

in both cli and fpm versions of php.ini

I haven't touched it, it's the default value.
Tried my test code again and no luck. Tried changing 0 to Off but still the same.
 [2015-07-18 21:28 UTC] rmoisto at gmail dot com
I was testing this issue with PHP 7 beta.

What I found was PHP is checking for the owner of the session file. Obviously the reader/writer of the file will be different for cli and fpm, therefore the issue.

Why is PHP doing this? File permissions don't even matter which makes no sense.

So I'm guessing all I need to do in order for a workaround is figure out how to start my scripts as www-data.

On closer inspection the issue might be only with root user. My script is failing when I start it with root every time except when the session file is owned by root.
 [2015-07-21 02:54 UTC] yohgaki@php.net
File owner/group matters under shared environment. You must use non-root user/group if you would like to tweak session variable from CLI.
 [2015-07-21 04:16 UTC] yohgaki@php.net
-Status: Not a bug +Status: Re-Opened
 [2015-07-21 04:16 UTC] yohgaki@php.net
Raise more descriptive error for this. We have multiple bug reports for this behavior.
 [2016-09-09 02:30 UTC] yohgaki@php.net
-Summary: Session is not filled in cli script +Summary: Session does not report invalid uid for files save handler
 [2016-09-09 02:42 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38553e853b65eb84f919e4f5c5b9e702f1842b62
Log: Fixed Bug #68015 Session does not report invalid uid for files save handler
 [2016-09-09 02:42 UTC] yohgaki@php.net
-Status: Re-Opened +Status: Closed
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=38553e853b65eb84f919e4f5c5b9e702f1842b62
Log: Fixed Bug #68015 Session does not report invalid uid for files save handler
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC