#34275 [NEW]: Session ID change when multiple javascript call occurs simultaneously

[mag at alcormizar dot com]

From:             mag at alcormizar dot com
Operating system: windows xp - 2000
PHP version:      5.0.4
PHP Bug Type:     Session related
Bug description:  Session ID change when multiple javascript call occurs 
simultaneously

Description:
------------
We have a web page that refresh 3 images every seconds, we use javascript
+ dhtml to accomplish this. 

We use a timeout to call the UpdateImage function every second for each of
the three images. Since there was a security risk in enabling sending
cookies when changing the src attribute of an image, we need to send the
Session ID as a GET request because we need our Session variables in
test.php to select the right image to send back to the browser.

The calls to change the 3 images are made very close to one another, maybe
even at the same time (but it sure is within a few milliseconds). Here's
what happen :

1. Call to change the first image - Ok
2. Call to change the second image - Ok, but php change the Session ID
after session_start() (why ???).
3. Call to change the third image - Fail, because the Session ID is not
good anymore.

What happen is that the third call to the function is made <-before-> the
Session ID is changed in the browser cookie, kind of a race condition.


Reproduce code:
---------------
function UpdateImage(IdImage)
{
    var phpsessionid = GetSessionID(); //Get the PHPSESSID value from the
cookie.

    document.getElementById(IdImage).src =
"http://example.com/test.php?PHPSESSID="; + phpsessionid +
"xxxxxxxxx&idimage=id";
}

Expected result:
----------------
We would expect the Session ID not to change between those calls, unless
someone can explain why it is changed like that.


-- 
Edit bug report at http://bugs.php.net/?id=34275&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=34275&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=34275&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=34275&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=34275&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=34275&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=34275&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=34275&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=34275&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=34275&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=34275&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=34275&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=34275&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=34275&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=34275&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=34275&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=34275&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=34275&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=34275&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=34275&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=34275&r=mysqlcfg