#37087 [Opn->WFx]: register_globals with $_SESSION

[tony2001]

 ID:               37087
 Updated by:       [EMAIL PROTECTED]
 Reported By:      stefys at gmail dot com
-Status:           Open
+Status:           Wont fix
 Bug Type:         Variables related
 Operating System: Windows XP SP2
 PHP Version:      5.1.2
 New Comment:

register_globals will not exist in PHP6.


Previous Comments:
------------------------------------------------------------------------

[2006-04-14 19:22:15] stefys at gmail dot com

Description:
------------
When register_globals is enabled, items from $_SESSION are stored into
variables. However, if you unset one of those variables, and then you
set it again with his own value, then you session_unset() the variable
will be lost too. This is not really a bug, but maybe there is a way to
check if that variable still "points" to $_SESSION.

Reproduce code:
---------------
<?
        session_start();
        if (!isset($_SESSION['test']))
        {
                $_SESSION['test'] = "value in session";
                echo "please reload!";
        }
        else
        {
                echo '$_SESSION[\'test\']: '.$_SESSION['test']."<br>"; // prints
$_SESSION['test'] 
                echo '$test: '.$test."<br>"; // prints $_SESSION['test']
                unset($test); //unsets $test, now $test is not a "pointer" to
$_SESSION['test'] anymore
                $test = "my own value";
                echo '$_SESSION[\'test\']: '.$_SESSION['test']."<br>";
                echo '$test: '.$test."<br>"; //ok, now $test has different 
value than
$_SESSION['test']
                session_unset(); // unsets $_SESSION['test'], but $test too, 
because
register_globals is enabled
                echo '$_SESSION[\'test\']: '.$_SESSION['test']."<br>";
                echo '$test: '.$test."<br>";
        }
?>

Expected result:
----------------
It should only unset $_SESSION['test'], not $test, even if
register_globals is enabled.

Actual result:
--------------
Both, $test and $_SESSION['test'] are unset. This how I think that
session_unset() works:

function session_unset()
{
    global $_SESSION;
    foreach ($_SESSION as $item => $value)
    {
        unset($_SESSION[$item]);
        if (ini_get('register_globals')) unset($$value); // unsets
$value, no matter if it does not "point" to $_SESSION anymore
        //as a temporary fix:
        //if (ini_get('register_globals') && $$value ===
$_SESSION[$item]) ... // this will still not fix everything, since
value of $$value might be same as in $_SESSION, in which case it will
still be unset
    }
}


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=37087&edit=1