ID: 30026 User updated by: p dot kruijsen at mssm dot nl Reported By: p dot kruijsen at mssm dot nl -Status: Bogus +Status: Open Bug Type: Session related Operating System: Windows XP / Redhat Linux PHP Version: Irrelevant New Comment:
Please not that I am not trying to send any session or cookie information along with my request. I specifically want to use the session information that is already present at the server to which I make the request. Maybe it's better to assume a 'fopen' rather then an 'include'. If I sign in to server.com and type http://server.com/check by hand in a browser, I might recieve a 'You are signed in' message based on a $_SESSION variable that was set. If I fopen(http://server.com/check) from another server and print the contents I get 'You are not signed in, please sign in'. The $_SESSION variable that is already present and set at server.com (this is the key: I'm not sending anything!) is not used when opening the server.com/check url via fopen() or include(). I cannot understand the difference between opening a URL by hand or by opening it and showing its contents via fopen(). Hope this clarifies. Thanks. Previous Comments: ------------------------------------------------------------------------ [2004-09-08 17:21:09] [EMAIL PROTECTED] You are assuming a URL include will send cookie information along with the request. That is not the case. You will have to do that yourself if that is what you want. See php.net/curl for everything you need to send a request which includes the session cookie. ------------------------------------------------------------------------ [2004-09-08 14:58:38] p dot kruijsen at mssm dot nl Description: ------------ When include()ing a url through HTTP, $_SESSION variables in the requested page are lost. Opening the same url by hand does preserve the $_SESSION variables. Testcase: Bootstrap a session variable on server1. (OK) Test bootstrap by invoking script on server1. (OK) Invoke script on server2 that includes script on server1. ($_SESSION is lost) This behaviour occurs on various operating systems with various up to date versions of PHP. I suspect this to be some form of security guarantee built into PHP. However, I see no difference in security level between include()ing a file in a script and opening it by hand. Reproduce code: --------------- <?php // server1.com/bootstrap.php session_start(); $_SESSION['bootstrap'] = 'OK'; echo('OK'); ?> <?php // server1.com/test.php session_start(); $_SESSION['server1'] = 'OK'; echo('<pre>server1: $_SESSION = '); print_r($_SESSION); echo('</pre>'); ?> <?php // server2.com/test.php session_start(); include('http://server1.com/test.php'); $_SESSION['server2'] = 'OK'; echo('<pre>server2: $_SESSION = '); print_r($_SESSION); echo('</pre>'); ?> Expected result: ---------------- // invoke server1.com/bootstrap.php OK // invoke server1.com/test.php server1: $_SESSION = Array ( [bootstrap] => OK [server1] => OK ) // invoke server2.com/test.php server1: $_SESSION = Array ( [bootstrap] => OK [server1] => OK ) server2: $_SESSION = Array ( [server2] => OK ) Actual result: -------------- // invoke server2.com/test.php server1: $_SESSION = Array ( [server1] => OK ) server2: $_SESSION = Array ( [server2] => OK ) // Ths initial bootstrap variable is missing from $_SESSION on server1 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=30026&edit=1
