php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #9390 PHPSESSID adds itself to $HTTP_POST_VARS
Submitted: 2001-02-21 20:41 UTC Modified: 2001-04-19 09:28 UTC
From: aaron dot lake at kvaerner dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4.0.4pl1 OS: HP-UX 11.00
Private report: No CVE-ID: None
 [2001-02-21 20:41 UTC] aaron dot lake at kvaerner dot com
Problem:

For some reason PHP adds PHPSESSID to $HTTP_POST_VARS

At login, I use:
session_start():
$sid = session_id();
session_register("sid");
etc.....

2 pages into the session the var PHPSESSID
appears as the first element in the post array.

My app has been been behaving until I started playing with
gc_probability in php.ini.

My identical dev website with identical code does not
reproduce this problem.

Config INFO:

Compile Directives:
'./configure' '--prefix=/../../php_prod' '--with-config_file_path=/../../php_prod/lib' '--with-oci8' '--with-apache=/../../apache_prod' '--enable-track-vars' '--enable-trans-sid' '--enable-ftp'


php.ini session config:

[Session]
session.save_handler = files ;
session.save_path=/usr/local/session    ;                   session.use_cookies       = 0       ; session.name              = PHPSESSID  ;
session.auto_start        = 0       ; session.cookie_lifetime=0   ;                               session.cookie_path =  /
session.serialize_handler = php     ; session.gc_probability    = 1     ; session.gc_maxlifetime    = 1800    ; session.referer_check     =         ; session.entropy_length    = 0       ; session.entropy_file      =         ;  session.entropy_length    = 16
; session.entropy_file      = /dev/urandom
session.cache_limiter= nocache ;                                     ; session.cache_expire      = 180     ; session.use_trans_sid     = 1       ; 

[EOF]

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-16 17:37 UTC] sas@php.net
Since you are using the transparent session id feature, the obvious question is: Do you use forms with method=POST?
 [2001-03-16 17:46 UTC] sniper@php.net
In php.ini:

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

Remove the last setting, form=fakeentry.
(or if you don't have this directive in your php.ini,
add it without the last setting.)

--Jani

 [2001-03-19 14:05 UTC] aaron dot lake at kvaerner dot com
Thanx Jani,

As suggested:

In php.ini:

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

Remove the last setting, form=fakeentry.
(or if you don't have this directive in your php.ini,
add it without the last setting.)

when i added this conf. directive and bounced the web server, $HTTP_POST_VARS (using the POST method) contained
NO elements.

I added this directive to my identical development environment and noticed no ill effects.




 [2001-03-19 14:12 UTC] sniper@php.net
Both environments run same php.ini? Same version of PHP?
Same configure line used on building both PHP's?

--Jani

 [2001-03-19 14:13 UTC] aaron dot lake at kvaerner dot com
Thanx Jani,

As suggested:

In php.ini:

url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

Remove the last setting, form=fakeentry.
(or if you don't have this directive in your php.ini,
add it without the last setting.)

when i added this conf. directive and bounced the web server, $HTTP_POST_VARS (using the POST method) contained
NO elements.

I added this directive to my identical development environment and noticed no ill effects.




 [2001-03-19 14:16 UTC] aaron dot lake at kvaerner dot com
both production and development environments
are using identical versions and configurations 
of apache web server 1.3.14 and php 4.0.4 pl1,
php.ini config is also identical.
 [2001-03-19 14:24 UTC] aaron dot lake at kvaerner dot com
Woops!

No it still doesnt work.

Aaron.
 [2001-03-19 14:38 UTC] sniper@php.net
Stupid question: did you restart your apache after
adding that php.ini directive? And did your restart it 
like this:

./apachectl stop
./apachectl start

(I'm just guessing here.. :)

And does it work on your development environment or not?
(the 'no ill effects'?)

--Jani

 [2001-03-19 14:39 UTC] aaron dot lake at kvaerner dot com
both production and development environments
are using identical versions and configurations 
of apache web server 1.3.14 and php 4.0.4 pl1,
php.ini config is also identical.
 [2001-03-19 14:43 UTC] aaron dot lake at kvaerner dot com
Jani,

That is correct,
I did explicitly stop and start the web server
(prod and dev) using the ./apachectl stop ... start.

Dev works fine.

Aaron.
 [2001-03-19 14:50 UTC] sniper@php.net
I suggest you check that they REALLY are identical.
And I guess you're trying with same scripts? :)

--Jani

 [2001-04-19 09:28 UTC] sniper@php.net
No feedback. If problem still persists when using PHP 4.0.5,
reopen this bug report.

--Jani

 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Sep 25 17:01:26 2018 UTC