ID: 41131 Updated by: [EMAIL PROTECTED] Reported By: erik-php at vanpienbroek dot nl -Status: Open +Status: Bogus Bug Type: Session related Operating System: CentOS Linux 4.4 PHP Version: 5.2.1 New Comment:
Set the "session.cookie_path" INI setting per UserDir. Previous Comments: ------------------------------------------------------------------------ [2007-04-18 13:26:00] erik-php at vanpienbroek dot nl Description: ------------ Hi, I'm the administrator of a webserver which is used by a school to serve websites for students. All the individual websites are published using the UserDir function from PHP (so we don't use VHosts). Say there are 2 Apache UserDirs available, /home/a and /home/b (which are reachable from http://myhost/a and http://myhost/b). Both UserDirs contain the attached index.php script. When you open your browser and navigate to http://myhost/a you'll get the message 'my_var set'. If you refresh this page you'll get the message 'my_var = hello world!'. When you navigate to http://myhost/b using the same browser window you get the message 'my_var = hello world!'. This isn't the expected behaviour as both URL's are actually seperate websites and thus should have a seperate session. This way it is possible for seperate UserDirs to see each other session data (assuming that the user navigates to both UserDirs from the same browser window). When Apache modules like mod_suid/mod_ruid are used this behaviour triggers 'permission denied' errors as the session file is created with the ownership of the user belonging to the first UserDir request and later being opened by the user belonging to the other UserDir (and fails). Would it be possible for PHP to find out if a Apache request is pointing to a UserDir and if so, create a new session for it? Thanks in advance. Reproduce code: --------------- <? session_start(); if (!isset($_SESSION['my_var'])) { $_SESSION['my_var'] = "hello world!"; echo "my_var set\n"; } else { echo "my_var = " . $_SESSION['my_var'] . "\n"; } ?> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=41131&edit=1
