#46250 [NoF->Bgs]: wrong session id passed to read handler

felipe Sat, 18 Oct 2008 10:47:16 -0700

 ID:               46250
 Updated by:       [EMAIL PROTECTED]
 Reported By:      axel dot starck at contec dot ca
-Status:           No Feedback
+Status:           Bogus
 Bug Type:         Session related
 Operating System: Linux RedHat 8, 2.4.20-20.8cus
 PHP Version:      5.3.0alpha2
 New Comment:


.


Previous Comments:
------------------------------------------------------------------------

[2008-10-16 01:00:01] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

------------------------------------------------------------------------

[2008-10-08 21:45:10] axel dot starck at contec dot ca

found it:

; This option enables administrators to make their users invulnerable
to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1

use_only_cookies defaults to 0 in 5.2.6
but defaults to 1 in 5.3.0alpha2
setting it to 0 solves the problem

session.use_only_cookies = 0

------------------------------------------------------------------------

[2008-10-08 18:19:45] [EMAIL PROTECTED]

Is the same php.ini used for both? Check all the session.* ini 
options in both versions phpinfo() output..

------------------------------------------------------------------------

[2008-10-07 23:45:23] axel dot starck at contec dot ca

Description:
------------
we have our own db base session handler.
it looks like with v5.3.0 the session id passed to the read handler is
not not the one passed as parameter to the script.
the code is in production for years. switching back to v5.2.6
solves the problem. see code/trace snipped below


Reproduce code:
---------------
error_log ("-1-".$_SERVER["REQUEST_URI"]."--".print_r ($_REQUEST,
true)."--");
....
function sess_read ($id)
{
  error_log ("--sess_read (id=$id)--");
  ...................
}
.........
session_set_save_handler ('sess_open', 'sess_close', 'sess_read',
'sess_write', 'sess_destroy', 'sess_gc');

if (session_start ()) error_log ("session_start:GOOD");
else                  error_log ("session_start:BAAD");
error_log ("-2-SID:".SID."--".print_r ($_SESSION, true)."--");

-----------------------------------------------------------------------------
[07-Oct-2008 16:29:53]
-1-/projects/svn/ui/base/index.php?HORNET=d72592f9adf5b04c74bb269a799aef53--Array
(
    [HORNET] => d72592f9adf5b04c74bb269a799aef53
)
--
[07-Oct-2008 16:29:53] --sess_read
(id=22cf7b3c5d839f71bc5ae12e608c1675)--
[07-Oct-2008 16:29:53] session_start:GOOD
[07-Oct-2008 16:29:53]
-2-SID:HORNET=22cf7b3c5d839f71bc5ae12e608c1675--Array
(
)
--




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=46250&edit=1

#46250 [NoF->Bgs]: wrong session id passed to read handler

Reply via email to