From: mrmax063 at maxempire dot com Operating system: Windows XP PHP version: 4CVS-2003-08-13 (stable) PHP Bug Type: Session related Bug description: session.referer_check is ignored by session_start() function
Description: ------------ Hi! I've recently discovered that session_start() function ignores session.referer_check settings. And to be sure, I even downloaded the latest release in the 4CVS series, but the problem remains. For example, if domain name where script is located is "example.com", the session.referer_check should be set to "example.com". Now, according to documentation, if someone tries to access the script from another domain with valid session id embedded in the URL (i.e. by following <A> link whose HREF parameter points to http://example.com/session.php?PHPSESSID=sessionid...), PHP should reset session id to another value. But, instead of this, session id that's specified in the URL is accepted (even though HTTP_REFERER field contains address of another domain). Reproduce code: --------------- <?php ini_set('session.referer_check', 'example.com'); session_start(); if (!isset($_SESSION['count'])) { $_SESSION['count'] = 0; } else { $_SESSION['count']++; } print('Counter: ' . $_SESSION['count'] . '<BR>'); print('Add this code to a page on *another* domain: <A HREF="http://example.com/session.php?PHPSESSID=' . session_id() . '">HIJACK!</A><BR>'); print('HTTP_REFERER: ' . getenv('HTTP_REFERER')); ?> Expected result: ---------------- When above script is accessed from another domain via <A> HTML tag and session id is specified in the URL ("session.php?PHPSESSID=sessionid..."), session_start() function should reset session id to another value, since HTTP_REFERER contains address of another domain. Actual result: -------------- session_start() function accepts session id that's specified in the URL, even though HTTP_REFERER contains address of another domain. -- Edit bug report at http://bugs.php.net/?id=25084&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25084&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25084&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=25084&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=25084&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=25084&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=25084&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=25084&r=support Expected behavior: http://bugs.php.net/fix.php?id=25084&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=25084&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=25084&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=25084&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25084&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=25084&r=dst IIS Stability: http://bugs.php.net/fix.php?id=25084&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=25084&r=gnused
