#41853 [NEW]: Session shared between users

gundja at hotmail dot com Fri, 29 Jun 2007 08:22:26 -0700

From:             gundja at hotmail dot com
Operating system: Redhat Enterprise
PHP version:      5.2.3
PHP Bug Type:     Session related
Bug description:  Session shared between users


Description:
------------
Users share the same session when there is a peak of charge.
Actually, the process is:
User 1 starts a session with a specific session_id() (S1)
User 2 starts a session with a specific session_id() (S2)

User 1 clicks on links
User 2 clicks on links

When there a lot of session, User 1 session = S2...

Thank you very much for your help.

Reproduce code:
---------------
<?
//version 0.2
session_start();
echo("Server name:".$_SERVER["SERVER_ADDR"]);
echo("<br/>SESSION ID : ".session_id()."<br/>");                
$customControl = $_SERVER
['REMOTE_ADDR']."|".$_SERVER['HTTP_USER_AGENT']."|".$_SERVER['HTTP_ACCEPT_LANGUAGE']."|".session_id();
echo("Associated informations : <br/>".$customControl."<br/>");         
if(isset($_SESSION["CUSTOM_CONTROL"]))
{
        $controlFromSession = $_SESSION["CUSTOM_CONTROL"];
        echo("Informations from session : <br/>".$controlFromSession."<br/>");  
        
        if($customControl!=$controlFromSession)
        {
                echo("Informations from session and information provided by 
client are
differents<br/>");                                                      
                echo("We will destroy the session<br/>");                       
                                
                session_destroy();
                echo("Session is destroyed<br/>");                              
                        
                echo("Session will be started<br/>");                           
                        
                session_start();
                echo("Session is started<br/>");                                
                        
                $customControl = $_SERVER
['REMOTE_ADDR']."|".$_SERVER['HTTP_USER_AGENT']."|".$_SERVER['HTTP_ACCEPT_LANGUAGE']."|".session_id();
                echo("Value of custom control :<br/>".$customControl);          
                                        
        }
} 

$_SESSION["CUSTOM_CONTROL"] = $customControl;
echo("Value of Session :<br/>".$_SESSION["CUSTOM_CONTROL"]);
?>

Expected result:
----------------
SESSION ID : e1dd4e5ce39242a52c7db9d7f23fec8c
Associated informations :
195.68.126.90|Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4)
Gecko/20070515
Firefox/2.0.0.4|en-us,en;q=0.5|e1dd4e5ce39242a52c7db9d7f23fec8c
Informations from session :
195.68.126.90|Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4)
Gecko/20070515
Firefox/2.0.0.4|en-us,en;q=0.5|e1dd4e5ce39242a52c7db9d7f23fec8c
Value of Session :
195.68.126.90|Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4)
Gecko/20070515
Firefox/2.0.0.4|en-us,en;q=0.5|e1dd4e5ce39242a52c7db9d7f23fec8c

Actual result:
--------------
SESSION ID : 979747d25bc9e21291aad70a1f886491
Associated informations :
195.68.126.90|Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4)
Gecko/20070515
Firefox/2.0.0.4|en-us,en;q=0.5|979747d25bc9e21291aad70a1f886491
Informations from session :
82.228.147.184;Mozilla/5.0 (Windows: U: Windows NT 5.1: fr: rv:1.8.0.12)
Gecko/20070508
Firefox/1.5.0.12;fr,fr-fr:q=0.8,en-us:q=0.5,en:q=0.3;979747d25bc9e21291aad70a1f886491;9508e4f5a18916a88ac39f0c64aecd0a
Informations from session and information provided by client are
differents
We will destroy the session
Session is destroyed
Session will be started

-- 
Edit bug report at http://bugs.php.net/?id=41853&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=41853&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=41853&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=41853&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=41853&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=41853&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=41853&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=41853&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=41853&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=41853&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=41853&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=41853&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=41853&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=41853&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=41853&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=41853&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=41853&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=41853&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=41853&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=41853&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=41853&r=mysqlcfg

#41853 [NEW]: Session shared between users

Reply via email to