Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#92 phpwiki with phpsessid's breaks URL's

User_Authentication
closed
Carsten Klapp
7
2012-10-11
2002-01-15
Anonymous
No

If transparent session id's are compiled into php, and
a user who has cookies blocked to your site either:

  • Views a page and clicks "edit"
  • Views pages while VIRTUAL_PATH is false and clicks on
    another linked page

The URL's get FUBAR:

http://server/wiki/index.php/Oracle%20Applications&?PHPSESSID=243fc4338a9871d6bb3f28d3f9ec6985#63;action=edit

if you notice the "&" on the URL, it tries to edit a
page called "Oracle Applications&", instead of having
the PHPSESSID as a variable.

I'm aware that phpwiki doesn't do any special PHPSESSID
handling, but I couldn't uncover the issue with this
bug in a cursory look.. I just commented out all the
session handling since we don't need it inside this
organization.

Tested with both 1.3.0-jeffs-hacks and
1.3.2-jeffs-hacks, as well as Mozilla 0.9.7, Netscape
4.7, and Opera 6.0

Discussion

  • Lawrence Akka
    Lawrence Akka
    2002-01-18

    Logged In: YES
    user_id=346996

    I have been getting this too for some time. I thought it
    was just my setup!

    I think the problem arises because PHP assumes that it can
    just insert the PHPSESSID variable into the URL query
    string, but it is not very good at working out where.

    The strange thing with my setup is that this bug seems to
    occur on the first page load only. Hitting refresh makes
    the SESSID disappear from the query string. It remains
    absent for the rest of the session.

    Lawrence

     
  • Lawrence Akka
    Lawrence Akka
    2002-01-18

    Logged In: YES
    user_id=346996

    The reason (of course) why it happens only on the first
    page load on my system is that I have cookies enabled. The
    first time I visit the wiki in a session, I have no SESSID
    cookie, so php inserts PHPSESSID in the query string, and
    also sets a cookie. On a page refresh, the cookie is
    present, so php does not need to mangle the query string.

    Not sure yet why php cannot put the PHPSESSID variable in
    the right place, though

     
  • Logged In: YES
    user_id=45814

    What versions of PHP are y'all running when you experience
    these problems?

    I have not yet looked at this problem in great detail, but
    it would seem to be a bug in PHP. Maybe it's fixed in
    recent versions of PHP?

    In the mean time, if you configure PHP (at compile time)
    without --enable-trans-sid (or with --disable-trans-sid),
    the problem goes away (but you can't log in to PhpWiki
    without cookies enabled in your browser.)

     
  • Logged In: NO

    php 4.1.1 on Debian Linux. I worked around it by
    disabling the trans-sessid in php.. we had planned to
    use it for a project, but that project is no longer
    happening.

     
  • Lawrence Akka
    Lawrence Akka
    2002-01-22

    Logged In: YES
    user_id=346996

    php 4.0.6 on Apache/Windows 2k

     
  • Carsten Klapp
    Carsten Klapp
    2002-01-25

    Logged In: YES
    user_id=369655

    I found this problem too when I tried to use http://validator.w3.org/check to check my html, the validator doesn't support cookies.

    You can add this line into index.php to prevent it:
    ini_set('session.use_trans_sid', 0);

    (I've also checked in this modification into the CVS of the developmental version).

     
  • Carsten Klapp
    Carsten Klapp
    2003-11-09

    Logged In: YES
    user_id=369655

    Closing off, mod "ini_set('session.use_trans_sid', 0);" checked into
    index.php by Jeff as the default around 2002-01-25.