#614 PHP session handling issues with HTTP/1.1

Can't Reproduce
Mike Elliott

I was having problems with users getting the
"You must be logged in
to access this page." when cookies were properly enabled and the
server settings were correct. This occasionally happens in IE 5.0,
and always happens in Opera 6.01.

Cause: Race condition in
redirect.php. The cookies are being sent, and a Location: header is
being sent, but no html. The cookies may or may not be set before the
page from the Location: header is loaded. IE: 50/50, Opera: 95/5
fail/success. Therefore, the PHPSESSID cookie is missed, and the
resulting "not logged in" page is given.

< header("Location: $redirect_url");
echo "<html><head><META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;

Why: Since
html is sent in this case, all header information has to be received
and processed before the html can be processed. The cookies are
registered before the jump to the new page. An attempt at a shortcut
with the Location: is what causes the race condition.


1 2 3 .. 5 > >> (Page 1 of 5)
  • Logged In: YES

    OK, I see your point. Upping priority to be included in 1.2.6.

    • priority: 5 --> 9
    • status: open --> open-accepted
  • Logged In: YES

    How about if we send both? I have this faint recollection
    that this used to fix things. E.g. we don't remove the
    header("Location: $redirect_url"), but keep it and add the
    HTML. Can you try it -- does opera still ignore the cookies
    in this case?

    • assigned_to: nobody --> graf25
  • Mike Elliott
    Mike Elliott

    Logged In: YES

    Tried sending both. Fails. I assume the Location: is processed, and the
    rest ignored. As a warning, don't try to get fancy with HTTP_USER_AGENT
    processing and looking for Opera. Opera can be configured to reply IE,
    Netscape, or Opera which would defeat the purpose.

    • milestone: --> Can't Reproduce
    • status: open-accepted --> pending-accepted
  • Logged In: YES

    I can't reproduce this. At all. Any browser -- Opera 6.01,
    IE 5.5, IE 6.0. Any php version. Marking as "can't
    reproduce". For s&g -- try turning off the plugins and see
    if this makes any difference.

  • Mike Elliott
    Mike Elliott

    • status: pending-accepted --> open-accepted
  • Mike Elliott
    Mike Elliott

    Logged In: YES

    Turning off all plugins and sending both fails.
    Turning off all plugins
    and sending Location: fails.

    This is the same bug referenced in
    417373, 466636, and 539168, so I know others can reproduce it.

    • priority: 9 --> 5
1 2 3 .. 5 > >> (Page 1 of 5)