ID: 28681 Updated by: [EMAIL PROTECTED] Reported By: s dot lemke at infoworxx dot de -Status: Open +Status: Feedback Bug Type: Session related Operating System: Linux 2.4.18 PHP Version: 4.3.7 New Comment:
Do you set a domain for the cookie used to store the sessions? Previous Comments: ------------------------------------------------------------------------ [2004-06-07 20:45:19] s dot lemke at infoworxx dot de Description: ------------ Hi ! I have an "phaenomen" which is so fantastic that I cannot believe it. General setup: one Domain using sessions (with name "abcsession") running under "www.abconline.de" another domain for testing (also with name "abcsession") running under "dev.abconline.de" under some circumstances, stored sessiondata will be changed and i can found data in $_SESSION, which i have never stored. An important fact seems to be, that both domains have the same top-level domain on the same machine (physically two different systems - one for development and testing) - another important fact is a not found image. It is definitely a php problem. Here is an test-url: http://dev.abconline.de/test/start.php4 after every Refresh the Session-Var changes !! (try it :-) and if I type the contents of the file in which the session-data is stored (/tmp/sess_xxxxx) there are variables, I have never stored. I have documented more Infos in the sample scripts. I know it sounds really fantastic - after a few years of php-development I have never seen anything like this.... Regards, Sebastian Reproduce code: --------------- ---- start.php4 ---- <? session_name('abcsession'); session_start(); $_SESSION['s_valid_register']=642536304; ?> <HTML> <HEAD> <META HTTP-EQUIV="refresh" content="0;URL=second.php4"> <TITLE></TITLE> </HEAD> <BODY> redirect to next page! </BODY> </HTML> ---- second.php4 ---- <? session_name('abcsession'); session_start(); echo "Session: ".$_SESSION['s_valid_register']."<BR>"; echo '<img src="not-found-image.gif">'; echo "<BR>"; echo "session-id: ".session_id()."<BR>"; ?> <BR> now refresh (f5) an see whats happening with the session var !!!<BR><BR> I took a look into my session-file - there were a lot of more vars in there<BR> i cannot explain from where the vars are...!? - look at the session-file<BR><BR> [....] Session-Data:<BR> <? while (list($key, $value)=each($_SESSION)) echo $key."=".$value."<BR>"; ?> Expected result: ---------------- the session-var 's_valid_register' must have after every refresh the same value. only one var (s_valid_register) should be stored in the session-data-file (/tmp/sess_xxx), but it is not the only one ! Actual result: -------------- after every refresh the value changes. hijacked data in the session. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28681&edit=1
