From: mg at memedia dot de Operating system: GNU/Debian 4.0 PHP version: 5.2.5 PHP Bug Type: Session related Bug description: Session data got loaded multiple times for different users
Description: ------------ A customer was forwarded to me on the phone today, telling me she would see the customer area of another customer on our online-shop. That's was indeed very surprising. The site uses no client side cookies, except the one form the php session management. Anyway, she got on our site by typing in the URL into the address bar, no injections and stuff. Moreover i found out that she was not the only one with the "problem". >From 12:14:28 to 13:57:36 i count about 10 different IP adresses with different browsers in our logs that used ONE session (d28b9616a3013ef6441f8e4383d7e05b). The session must have been loaded multiple times, because we put that data also in our db-based user-tracking. It seems the session was started different times with the same SessionID. There was no session id given by URL or cookie. People came according to the referer from different sites. As i said we use the PHP session managment. There are about 20-30 people most of the time online. Not every one was affected. The file itself (under /var/lib/php5) seems to be ok. We're using the distribution from dotdeb.org on our servers. Any clues where the problem could hang? Is it Apache or PHP? How ist the has for the session file created? I guess i will add an IP-referer and Browser User Agent check first to avoid the problem in future. Reproduce code: --------------- -- -- Edit bug report at http://bugs.php.net/?id=43451&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=43451&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=43451&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=43451&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=43451&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=43451&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=43451&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=43451&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=43451&r=needscript Try newer version: http://bugs.php.net/fix.php?id=43451&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=43451&r=support Expected behavior: http://bugs.php.net/fix.php?id=43451&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=43451&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=43451&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=43451&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43451&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=43451&r=dst IIS Stability: http://bugs.php.net/fix.php?id=43451&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=43451&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=43451&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=43451&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=43451&r=mysqlcfg
