#46250 [Com]: wrong session id passed to read handler

Wed, 08 Oct 2008 14:45:24 -0700 

 ID:               46250
 Comment by:       axel dot starck at contec dot ca
 Reported By:      axel dot starck at contec dot ca
 Status:           Feedback
 Bug Type:         Session related
 Operating System: Linux RedHat 8, 2.4.20-20.8cus
 PHP Version:      5.3.0alpha2
 New Comment:

found it:

; This option enables administrators to make their users invulnerable
to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1

use_only_cookies defaults to 0 in 5.2.6
but defaults to 1 in 5.3.0alpha2
setting it to 0 solves the problem

session.use_only_cookies = 0


Previous Comments:
------------------------------------------------------------------------

[2008-10-08 18:19:45] [EMAIL PROTECTED]

Is the same php.ini used for both? Check all the session.* ini 
options in both versions phpinfo() output..

------------------------------------------------------------------------

[2008-10-07 23:45:23] axel dot starck at contec dot ca

Description:
------------
we have our own db base session handler.
it looks like with v5.3.0 the session id passed to the read handler is
not not the one passed as parameter to the script.
the code is in production for years. switching back to v5.2.6
solves the problem. see code/trace snipped below


Reproduce code:
---------------
error_log ("-1-".$_SERVER["REQUEST_URI"]."--".print_r ($_REQUEST,
true)."--");
....
function sess_read ($id)
{
  error_log ("--sess_read (id=$id)--");
  ...................
}
.........
session_set_save_handler ('sess_open', 'sess_close', 'sess_read',
'sess_write', 'sess_destroy', 'sess_gc');

if (session_start ()) error_log ("session_start:GOOD");
else                  error_log ("session_start:BAAD");
error_log ("-2-SID:".SID."--".print_r ($_SESSION, true)."--");

-----------------------------------------------------------------------------
[07-Oct-2008 16:29:53]
-1-/projects/svn/ui/base/index.php?HORNET=d72592f9adf5b04c74bb269a799aef53--Array
(
    [HORNET] => d72592f9adf5b04c74bb269a799aef53
)
--
[07-Oct-2008 16:29:53] --sess_read
(id=22cf7b3c5d839f71bc5ae12e608c1675)--
[07-Oct-2008 16:29:53] session_start:GOOD
[07-Oct-2008 16:29:53]
-2-SID:HORNET=22cf7b3c5d839f71bc5ae12e608c1675--Array
(
)
--




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=46250&edit=1

Reply via email to