[Phplib-trackers] [ phplib-Patches-472136 ] Bug in session.inc with HTTP_POST_VARS

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Patches item #472136, was opened at 2001-10-17 09:41
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=403613&aid=472136&group_id=31885

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Oliver Kurz (ojk)
Assigned to: Nobody/Anonymous (nobody)
Summary: Bug in session.inc with HTTP_POST_VARS

Initial Comment:
We realized in one of our projects a little "bug" in the file session.inc (PHPLib 7.2c). If you set the  
mode to cookie and the fallbackmode to get and then sending the session__id with post through a 
html-form, than your session is lost. 

The reason is, the function release_token only looks in $HTTP_GET_VARS for the session_id, if 
fallbackmode is necessary. But not in $HTTP_POST_VARS, but this could also be possible, if no 
cookies are allowed and the session_id is transmitted by a hidden form field. 

We fixed the function as you can see at the bottom of this text. Now the function looks for 
fallbackmode also in the post-vars for the session_id, if it isn't set in cookie- or get-vars.

  // Fix
  function release_token(){ 
    // Old Version
//    global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_HOST, $HTTPS;
    // New Version
    global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_HOST, $HTTPS, $HTTP_POST_VARS;
    if (   isset($this->fallback_mode)
    && ( "get" == $this->fallback_mode ) 
    && ( "cookie" == $this->mode )
    && ( ! isset($HTTP_COOKIE_VARS[$this->name]) ) ) {
      // Old Version
//      if ( isset($HTTP_GET_VARS[$this->name]) ) {
      // New Version
      if ( isset($HTTP_GET_VARS[$this->name]) || isset($HTTP_POST_VARS[$this->name]) ) {
        $this->mode = $this->fallback_mode;
      } else {
        header("Status: 302 Moved Temporarily");
        $this->get_id($sid);
	$this->mode = $this->fallback_mode;
        if( isset($HTTPS) && $HTTPS == 'on' ){
        ## You will need to fix suexec as well, if you use Apache and CGI PHP
          $PROTOCOL='https';
        } else {
          $PROTOCOL='http';
        }
        header("Location: ". $PROTOCOL. "://".$HTTP_HOST.$this->self_url());
        exit;
      }
    }
  }   

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=403613&aid=472136&group_id=31885