#34275 [Opn]: Session ID change when multiple javascript call occurs simultaneously

Fri, 26 Aug 2005 20:40:05 -0700 

 ID:               34275
 User updated by:  mag at alcormizar dot com
 Reported By:      mag at alcormizar dot com
 Status:           Open
 Bug Type:         Session related
 Operating System: windows xp - 2000
 PHP Version:      5.0.4
 New Comment:

When submitting the function I forgot to remove the Xs, so the real
function look like :

function UpdateImage(IdImage)
{
    var phpsessionid = GetSessionID(); //Get the PHPSESSID value from
the cookie.

    document.getElementById(IdImage).src =
"http://example.com/test.php?PHPSESSID="; + phpsessionid +
"&idimage=id";
}


Previous Comments:
------------------------------------------------------------------------

[2005-08-26 23:21:13] mag at alcormizar dot com

Description:
------------
We have a web page that refresh 3 images every seconds, we use
javascript + dhtml to accomplish this. 

We use a timeout to call the UpdateImage function every second for each
of the three images. Since there was a security risk in enabling sending
cookies when changing the src attribute of an image, we need to send the
Session ID as a GET request because we need our Session variables in
test.php to select the right image to send back to the browser.

The calls to change the 3 images are made very close to one another,
maybe even at the same time (but it sure is within a few milliseconds).
Here's what happen :

1. Call to change the first image - Ok
2. Call to change the second image - Ok, but php change the Session ID
after session_start() (why ???).
3. Call to change the third image - Fail, because the Session ID is not
good anymore.

What happen is that the third call to the function is made <-before->
the Session ID is changed in the browser cookie, kind of a race
condition.


Reproduce code:
---------------
function UpdateImage(IdImage)
{
    var phpsessionid = GetSessionID(); //Get the PHPSESSID value from
the cookie.

    document.getElementById(IdImage).src =
"http://example.com/test.php?PHPSESSID="; + phpsessionid +
"xxxxxxxxx&idimage=id";
}

Expected result:
----------------
We would expect the Session ID not to change between those calls,
unless someone can explain why it is changed like that.



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=34275&edit=1

Reply via email to