Edit report at https://bugs.php.net/bug.php?id=49326&edit=1
ID: 49326
Updated by: yohg...@php.net
Reported by: k dot triendl at m-box dot at
Summary: output_buffering can break unsecure transparent
automatic SID adding
-Status: Open
+Status: Feedback
Type: Bug
Package: Session related
Operating System: windows xp sp3
PHP Version: 5.2.10
Block user comment: N
Private report: N
New Comment:
Please try using this snapshot:
http://snaps.php.net/php5.3-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
Previous Comments:
------------------------------------------------------------------------
[2009-09-18 14:07:37] k dot triendl at m-box dot at
Well, this is no satisfactory answer, I feel.
There are situations where cookies can't be used; cookies are bound to a path.
If one sets them for the root '/' then the session information is valid for the
whole path. No other session can be created without destroying the old one.
Users wouldn't be able to login into different databases at the same time or
with different user credentials.
Also, I don't see so much the security risk with SIDs in URLs as information
via our application is read-only to the public and will be changed only in
intranets. Additionally, sessions are time-limited.
No matter the security risks it should be up to the application to decide
whether it matters or not. Cookies have their own flaws.
PHP offers the feature to append the SID automatically and therefore I'm urging
that this bug gets fixed (php 5.3.x might have the same bug), otherwise the
feature should be deprecated.
Adding the SID manually is a tedious and error-prone work.
------------------------------------------------------------------------
[2009-09-16 08:02:00] j...@php.net
You should really add the SID "manually" anyway, using
session.use_trans_sid should be avoided always when your site is
anything else but some intranet. (might be fixed, propably won't be
ever)
------------------------------------------------------------------------
[2009-09-15 14:41:46] k dot triendl at m-box dot at
Reproduce code:
---------------
I've prepared a test case without external requirements:
http://www.m-box.at/phpbug_49326/phpbug_49326.php.txt
http://www.m-box.at/phpbug_49326/phpbug_49326.html.inc
phpbug_49326.php.txt is the php script, remove the .txt extension;
phpbug_49326.html.inc is the file included by the php script.
Be sure to set 'output_buffering' to 4096 in the php.ini or the .htaccess file.
Expected result:
----------------
correct link to 'Impressum':
<a
href="imprint.m-box?setmgrname=mboxobj&fcardid=4&reffcardid=3&PHPSESSID=bouq4a3sddqfeqp4hrobr4bur0>Impressum</a>
Actual result:
--------------
incorrect link to 'Impressum':
<a
href="imprint.m-box?setmgrname=mboxobj&fcardid=4&reffcardid=3"?PHPSESSID=bouq4a3sddqfeqp4hrobr4bur0>Impressum</a>
------------------------------------------------------------------------
[2009-09-04 11:41:36] j...@php.net
Please provide a proper test case which does not have any external requirements.
------------------------------------------------------------------------
[2009-08-21 21:46:10] k dot triendl at m-box dot at
Description:
------------
If output_buffering is set to 4096 and session.use_trans_sid is used, the
output may be broken:
<a href="index.php"?PHPSESSID=fa562d5bb14df890e6db68627ea76442>
I've found that the same bug was reported in 2003 for php-4.3.8 (which was
fixed back then) and filed under #29333: http://bugs.php.net/bug.php?id=29333.
The problem is reproducable with the code that Alan has still on his website.
I hope it's ok to refer to bug #29333.
Reproduce code:
---------------
As described in #29333
Expected result:
----------------
As described in #29333
Actual result:
--------------
As described in #29333
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=49326&edit=1
