#31369 [Opn->Asn]: session_destroy() and/or session_write_close() should unregister URL handler

Mon, 17 Jan 2005 09:44:29 -0800 

 ID:               31369
 Updated by:       [EMAIL PROTECTED]
 Reported By:      baafie at planet dot nl
-Status:           Open
+Status:           Assigned
-Bug Type:         Session related
+Bug Type:         Feature/Change Request
 Operating System: Linux Red hat 9 -2.4.20
 PHP Version:      4.3.10
-Assigned To:      
+Assigned To:      sas
 New Comment:

Assigning to the author of ext/session who can explain this / change it
if he wishes.



Previous Comments:
------------------------------------------------------------------------

[2005-01-17 02:38:09] destes at ix dot netcom dot com

This is a potential security issue, since I read the manual as
describing the behavior this bug expects (whereas the experienced
behavior is very different).  The ability to keep session data private
(especially SIDs) is very important and I don't think the developers
intended trans-sid to extend beyond the use of sessions in a script
(i.e., beyond where the session has been destroyed).

On a sidenote, you can avoid having trans-sid append your links by
using absolute (rather than relative) URLs.

I recommend that the original submitter changes this back from Bogus,
absolutely zero explanation was given as to why this isn't a bug, and I
(personally) happen to disagree.

-Steve

------------------------------------------------------------------------

[2005-01-16 19:00:39] baafie at planet dot nl

I reopened this bug to allow another person to comment. Please leave
the status as it is, until he has done so.


Re: your comment - why are session_destroy() and/or
session_write_close() not supposed to unregister the handler? Is there
another function that has this functionality?

------------------------------------------------------------------------

[2005-01-16 18:54:16] [EMAIL PROTECTED]

Because it's not supposed to unregister the handler.

------------------------------------------------------------------------

[2005-01-16 18:38:03] baafie at planet dot nl

Reopened by request. Comment pending.

------------------------------------------------------------------------

[2005-01-02 15:46:14] baafie at planet dot nl

Would you mind explaining why this is not a bug?

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/31369

-- 
Edit this bug report at http://bugs.php.net/?id=31369&edit=1

Reply via email to