From: p dot kruijsen at mssm dot nl
Operating system: Windows XP / Redhat Linux
PHP version: Irrelevant
PHP Bug Type: Session related
Bug description: Session variables lost with include through http
Description:
------------
When include()ing a url through HTTP, $_SESSION variables in the requested
page are lost. Opening the same url by hand does preserve the $_SESSION
variables.
Testcase:
Bootstrap a session variable on server1. (OK)
Test bootstrap by invoking script on server1. (OK)
Invoke script on server2 that includes script on server1. ($_SESSION is
lost)
This behaviour occurs on various operating systems with various up to date
versions of PHP. I suspect this to be some form of security guarantee built
into PHP. However, I see no difference in security level between
include()ing a file in a script and opening it by hand.
Reproduce code:
---------------
<?php
// server1.com/bootstrap.php
session_start();
$_SESSION['bootstrap'] = 'OK';
echo('OK');
?>
<?php
// server1.com/test.php
session_start();
$_SESSION['server1'] = 'OK';
echo('<pre>server1: $_SESSION = ');
print_r($_SESSION);
echo('</pre>');
?>
<?php
// server2.com/test.php
session_start();
include('http://server1.com/test.php');
$_SESSION['server2'] = 'OK';
echo('<pre>server2: $_SESSION = ');
print_r($_SESSION);
echo('</pre>');
?>
Expected result:
----------------
// invoke server1.com/bootstrap.php
OK
// invoke server1.com/test.php
server1: $_SESSION = Array
(
[bootstrap] => OK
[server1] => OK
)
// invoke server2.com/test.php
server1: $_SESSION = Array
(
[bootstrap] => OK
[server1] => OK
)
server2: $_SESSION = Array
(
[server2] => OK
)
Actual result:
--------------
// invoke server2.com/test.php
server1: $_SESSION = Array
(
[server1] => OK
)
server2: $_SESSION = Array
(
[server2] => OK
)
// Ths initial bootstrap variable is missing from $_SESSION on server1
--
Edit bug report at http://bugs.php.net/?id=30026&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=30026&r=trysnapshot4
Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30026&r=trysnapshot50
Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30026&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=30026&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=30026&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=30026&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=30026&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=30026&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=30026&r=support
Expected behavior: http://bugs.php.net/fix.php?id=30026&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=30026&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=30026&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=30026&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=30026&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=30026&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=30026&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=30026&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=30026&r=float
MySQL Configuration Error: http://bugs.php.net/fix.php?id=30026&r=mysqlcfg
