#42367 [Opn->Bgs]: Keeping track of session ID fails due to referer_check when referer is sent

Wed, 22 Aug 2007 02:05:36 -0700 

 ID:               42367
 Updated by:       [EMAIL PROTECTED]
 Reported By:      g dot schuster at laxit dot com
-Status:           Open
+Status:           Bogus
 Bug Type:         Session related
 Operating System: Windows XP Pro SP2
 PHP Version:      5.2.3
 New Comment:

You should sometimes read what is said in the php.ini-dist about the
options. This has always been like this:

; Check HTTP Referer to invalidate externally stored URLs containing
ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =

This is NOT some option you turn off/on. To "turn it off" you simply
don't a) set it in php.ini or b) set it with empty value.


Previous Comments:
------------------------------------------------------------------------

[2007-08-21 23:10:34] g dot schuster at laxit dot com

>when a link is clicked
should mean "when a referer is sent"

Sorry for that mistake, been awake for too long.

------------------------------------------------------------------------

[2007-08-21 22:04:07] g dot schuster at laxit dot com

Description:
------------
Keeping track of the session ID fails due to refere_check when a link
is clicked even if session.refere_check is disabled in the global AND in
the local config.
phpinfo() correctly states session.referer_check=0 for both global and
local config.

If you add the URL parameters (NOT the session id parameters!) to the
URL and hit "Enter" everything works fine because, in my case, FireFox
doesn't send a referer.

Problem can be solved if ini_set('session.referer_check', FALSE); is
set in the script.

Reproduce code:
---------------
http://www.laxit.com/tmp_files/phpbug/session_bug.html
http://www.laxit.com/tmp_files/phpbug/phpinfo.html

Expected result:
----------------
Session keeps state and doesn't check for referer if
session.referer_check=0

Actual result:
--------------
session_id($_REQUEST[session_name()]);
session_start();

creates a new session because it doesn't respect the
session.refere_check=0


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=42367&edit=1

Reply via email to