From: erik-php at vanpienbroek dot nl Operating system: CentOS Linux 4.4 PHP version: 5.2.1 PHP Bug Type: Session related Bug description: Sessions are leaked when using Apache's UserDir function
Description: ------------ Hi, I'm the administrator of a webserver which is used by a school to serve websites for students. All the individual websites are published using the UserDir function from PHP (so we don't use VHosts). Say there are 2 Apache UserDirs available, /home/a and /home/b (which are reachable from http://myhost/a and http://myhost/b). Both UserDirs contain the attached index.php script. When you open your browser and navigate to http://myhost/a you'll get the message 'my_var set'. If you refresh this page you'll get the message 'my_var = hello world!'. When you navigate to http://myhost/b using the same browser window you get the message 'my_var = hello world!'. This isn't the expected behaviour as both URL's are actually seperate websites and thus should have a seperate session. This way it is possible for seperate UserDirs to see each other session data (assuming that the user navigates to both UserDirs from the same browser window). When Apache modules like mod_suid/mod_ruid are used this behaviour triggers 'permission denied' errors as the session file is created with the ownership of the user belonging to the first UserDir request and later being opened by the user belonging to the other UserDir (and fails). Would it be possible for PHP to find out if a Apache request is pointing to a UserDir and if so, create a new session for it? Thanks in advance. Reproduce code: --------------- <? session_start(); if (!isset($_SESSION['my_var'])) { $_SESSION['my_var'] = "hello world!"; echo "my_var set\n"; } else { echo "my_var = " . $_SESSION['my_var'] . "\n"; } ?> -- Edit bug report at http://bugs.php.net/?id=41131&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=41131&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=41131&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=41131&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=41131&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=41131&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=41131&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=41131&r=needscript Try newer version: http://bugs.php.net/fix.php?id=41131&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=41131&r=support Expected behavior: http://bugs.php.net/fix.php?id=41131&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=41131&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=41131&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=41131&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=41131&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=41131&r=dst IIS Stability: http://bugs.php.net/fix.php?id=41131&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=41131&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=41131&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=41131&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=41131&r=mysqlcfg
