ID: 40806 User updated by: john at albin dot net Reported By: john at albin dot net -Status: Bogus +Status: Open Bug Type: Session related -PHP Version: 5.2.1 +PHP Version: 4.4.6 Assigned To: iliaa New Comment:
Perhaps you'd like more information rather than marking this as bogus. What detailed info would you like? Previous Comments: ------------------------------------------------------------------------ [2007-03-22 23:32:31] [EMAIL PROTECTED] If the browser is compliant with the spec the more specific cookies are sent first and PHP prevent their overwriting by less specific cookies. ------------------------------------------------------------------------ [2007-03-21 05:56:45] John at Albin dot Net This will also affect session cookies from the same server, but with different paths. e.g. Given a request for http://example.com/path1, a "domain=.example.com; path=/" session cookie will over-write the correct "domain=.example.com; path=/path1" session cookie. ------------------------------------------------------------------------ [2007-03-14 19:11:51] john at albin dot net Description: ------------ Here's a not-so-unusual situation: If a user goes to a PHP-based website with enabled sessions at http:// example.com, by default PHP sets a cookie named PHPSESSID for .example.com. If that user then goes to a seperate website at http:// other.example.com, PHP sets a cookie named PHPSESSID for .other.example.com. >From the cookie spec: When sending cookies to a server, all cookies with a more specific path mapping should be sent before cookies with less specific path mappings. For example, a cookie "name1=foo" with a path mapping of "/" should be sent after a cookie "name1=foo2" with a path mapping of "/ bar" if they are both to be sent. Even though both cookies are submitted by the browser back to the other.example.com website, PHP clobbers the value of the more-specific cookie with the less-specific cookie that follows. So there's no way that the PHP code could ever get the correct session id. Reproduce code: --------------- Go to http://example.com and let PHP set a default session cookie. Go to http://other.example.com and let PHP set a default session cookie. On the other.example.com website run: <?php session_start(); $value = $_COOKIE['PHPSESSID'] ?> Expected result: ---------------- To get the session_id from the .other.example.com cookie. Actual result: -------------- You get the session_id from the .example.com cookie. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40806&edit=1
