#42367 [NEW]: Keeping track of session ID fails due to referer_check when link is clicked

Tue, 21 Aug 2007 15:04:18 -0700 

From:             g dot schuster at laxit dot com
Operating system: Windows XP Pro SP2
PHP version:      5.2.3
PHP Bug Type:     Session related
Bug description:  Keeping track of session ID fails due to referer_check when 
link is clicked

Description:
------------
Keeping track of the session ID fails due to refere_check when a link is
clicked even if session.refere_check is disabled in the global AND in the
local config.
phpinfo() correctly states session.referer_check=0 for both global and
local config.

If you add the URL parameters (NOT the session id parameters!) to the URL
and hit "Enter" everything works fine because, in my case, FireFox doesn't
send a referer.

Problem can be solved if ini_set('session.referer_check', FALSE); is set
in the script.

Reproduce code:
---------------
http://www.laxit.com/tmp_files/phpbug/session_bug.html
http://www.laxit.com/tmp_files/phpbug/phpinfo.html

Expected result:
----------------
Session keeps state and doesn't check for referer if
session.referer_check=0

Actual result:
--------------
session_id($_REQUEST[session_name()]);
session_start();

creates a new session because it doesn't respect the
session.refere_check=0

-- 
Edit bug report at http://bugs.php.net/?id=42367&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=42367&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=42367&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=42367&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=42367&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=42367&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=42367&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=42367&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=42367&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=42367&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=42367&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=42367&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=42367&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=42367&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=42367&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=42367&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=42367&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=42367&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=42367&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=42367&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=42367&r=mysqlcfg

Reply via email to