From: john at albin dot net Operating system: PHP version: 5.2.1 PHP Bug Type: Session related Bug description: session id gets over-written by other server's cookie
Description: ------------ Here's a not-so-unusual situation: If a user goes to a PHP-based website with enabled sessions at http:// example.com, by default PHP sets a cookie named PHPSESSID for .example.com. If that user then goes to a seperate website at http:// other.example.com, PHP sets a cookie named PHPSESSID for .other.example.com. >From the cookie spec: When sending cookies to a server, all cookies with a more specific path mapping should be sent before cookies with less specific path mappings. For example, a cookie "name1=foo" with a path mapping of "/" should be sent after a cookie "name1=foo2" with a path mapping of "/ bar" if they are both to be sent. Even though both cookies are submitted by the browser back to the other.example.com website, PHP clobbers the value of the more-specific cookie with the less-specific cookie that follows. So there's no way that the PHP code could ever get the correct session id. Reproduce code: --------------- Go to http://example.com and let PHP set a default session cookie. Go to http://other.example.com and let PHP set a default session cookie. On the other.example.com website run: <?php session_start(); $value = $_COOKIE['PHPSESSID'] ?> Expected result: ---------------- To get the session_id from the .other.example.com cookie. Actual result: -------------- You get the session_id from the .example.com cookie. -- Edit bug report at http://bugs.php.net/?id=40806&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40806&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40806&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40806&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40806&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40806&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40806&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=40806&r=needscript Try newer version: http://bugs.php.net/fix.php?id=40806&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40806&r=support Expected behavior: http://bugs.php.net/fix.php?id=40806&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40806&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40806&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40806&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40806&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40806&r=dst IIS Stability: http://bugs.php.net/fix.php?id=40806&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40806&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40806&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40806&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=40806&r=mysqlcfg
