php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #71289 JIT $_FILES initilization is required for multiple session.name to work
Submitted: 2016-01-05 17:08 UTC Modified: 2016-01-20 16:19 UTC
From: pfenderd at bellsouth dot net Assigned:
Status: Analyzed Package: Session related
PHP Version: irrelevant OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: pfenderd at bellsouth dot net
New email:
PHP Version: OS:

 

 [2016-01-05 17:08 UTC] pfenderd at bellsouth dot net
Description:
------------
Using session_name() to specify a name immediately before session_start() causes the session_progress feature to indicate that an upload has completed immediately even though the file is still being sent.  In my test case, the only difference between a working version and the failed version is the used of session_name().

Without using session_name(), the session_progress feature works very well.

I currently use session_name() to differentiate sessions when using the same browser to access different web pages in different tabs that show data from different websites on the same server.  This feature works well except for the session_progress feature.

Test script:
---------------
$session_name_str = "upload_session";
session_name($session_name_str);
session_start();


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-05 18:19 UTC] pfenderd at bellsouth dot net
When I mentioned session_progress, I was referring to the session.upload_progress feature.
 [2016-01-06 22:04 UTC] pfenderd at bellsouth dot net
The problem is a little bit more complicated than first thought. When a browser is first opened and a session started using session_name() before session_start() the problem will continue to occur.  However, if a session is opened without using session_name() just once, then thereafter the use of session_name() will not cause a problem.  This is repeatable with IE 11, Firefox 43.0.4, Chrome 47.0.2526.106  and Opera 34.0.2036.31.
Test using session_name(): http://dayspeaknet.djpnet.dyndns.org/upload_sermons/upx/form1.php
Test without using session_name():
http://dayspeaknet.djpnet.dyndns.org/upload_sermons/upx/form1.php?sn=0

The only difference between these two test URLs is the use of session_name() or not.
Closing the browser and opening the browser again creates the problem situation.
 [2016-01-07 01:44 UTC] pfenderd at bellsouth dot net
More on the problem conditions:  To make the session_name() function work with session.upload_progress, the session first needs to be started without using session_name() AND also a file upload needs to be done.  Once the first file has been uploaded, then it is safe to use session_name() and the progress feature will work properly.
Test using session_name(): http://upx.djpnet.dyndns.org/form1.php
Test without using session_name(): http://upx.djpnet.dyndns.org/form1.php?sn=0
 [2016-01-07 05:09 UTC] yohgaki@php.net
-Status: Open +Status: Analyzed -Type: Bug +Type: Feature/Change Request -Operating System: Windows 7 +Operating System: any -PHP Version: 7.0.1 +PHP Version: irrelevant
 [2016-01-07 05:09 UTC] yohgaki@php.net
The reason why changing session name after module initialization does not work is the way RFC 1867 callback implemented.

Upload progress callback (php_rfc1867_callback) is registered when session module is initialized. It is used when RFC 1867 upload is performed and handled in main/rfc1867.c. 

This means changing session name in user script is too late to make it work. I think it does not work in older versions also, does it?

Possible fix would be delaying file upload handling and/or handle file upload manually. PHP handles file uploading automatically now. Anyway, user cannot make use of session_name('NEW_NAME')/ini_set('session.name', 'NEW_NAME') to use multiple file upload progress handling. 

I checked the code briefly. Please correct me if I'm wrong.
 [2016-01-07 05:14 UTC] yohgaki@php.net
Possible work around is to set session.name in .htaccess. "php_value" directive is processed before uploaded file handling. If you use .htaccess (or like) to set different session name, it should work. You'll need individual files, at least symlink, though.
 [2016-01-07 05:20 UTC] yohgaki@php.net
-Summary: Using session_name() prevents session_progress features from working +Summary: JIT $_FILES initilization is required for multiple session.name to work
 [2016-01-20 16:19 UTC] pfenderd at bellsouth dot net
Is there a difference in how sessions are handled using the API or the fast CGI on the server side?  My testing has been on Windows 7 using IIS 7.5.  If there is a difference in the server type of session handling, then this should be well documented so programmers can deal with it.

The problem has nothing to do with multiple files being uploaded, only a single file.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Jun 26 22:01:26 2019 UTC