Menu

#92 phpwiki with phpsessid's breaks URL's

User_Authentication
closed
7
2012-10-11
2002-01-15
Anonymous
No

If transparent session id's are compiled into php, and
a user who has cookies blocked to your site either:

  • Views a page and clicks "edit"
  • Views pages while VIRTUAL_PATH is false and clicks on
    another linked page

The URL's get FUBAR:

http://server/wiki/index.php/Oracle%20Applications&?PHPSESSID=243fc4338a9871d6bb3f28d3f9ec6985#63;action=edit

if you notice the "&" on the URL, it tries to edit a
page called "Oracle Applications&", instead of having
the PHPSESSID as a variable.

I'm aware that phpwiki doesn't do any special PHPSESSID
handling, but I couldn't uncover the issue with this
bug in a cursory look.. I just commented out all the
session handling since we don't need it inside this
organization.

Tested with both 1.3.0-jeffs-hacks and
1.3.2-jeffs-hacks, as well as Mozilla 0.9.7, Netscape
4.7, and Opera 6.0

Discussion

  • Lawrence Akka

    Lawrence Akka - 2002-01-18

    Logged In: YES
    user_id=346996

    I have been getting this too for some time. I thought it
    was just my setup!

    I think the problem arises because PHP assumes that it can
    just insert the PHPSESSID variable into the URL query
    string, but it is not very good at working out where.

    The strange thing with my setup is that this bug seems to
    occur on the first page load only. Hitting refresh makes
    the SESSID disappear from the query string. It remains
    absent for the rest of the session.

    Lawrence

     
  • Lawrence Akka

    Lawrence Akka - 2002-01-18

    Logged In: YES
    user_id=346996

    The reason (of course) why it happens only on the first
    page load on my system is that I have cookies enabled. The
    first time I visit the wiki in a session, I have no SESSID
    cookie, so php inserts PHPSESSID in the query string, and
    also sets a cookie. On a page refresh, the cookie is
    present, so php does not need to mangle the query string.

    Not sure yet why php cannot put the PHPSESSID variable in
    the right place, though

     
  • Geoffrey T. Dairiki

    Logged In: YES
    user_id=45814

    What versions of PHP are y'all running when you experience
    these problems?

    I have not yet looked at this problem in great detail, but
    it would seem to be a bug in PHP. Maybe it's fixed in
    recent versions of PHP?

    In the mean time, if you configure PHP (at compile time)
    without --enable-trans-sid (or with --disable-trans-sid),
    the problem goes away (but you can't log in to PhpWiki
    without cookies enabled in your browser.)

     
  • Nobody/Anonymous

    Logged In: NO

    php 4.1.1 on Debian Linux. I worked around it by
    disabling the trans-sessid in php.. we had planned to
    use it for a project, but that project is no longer
    happening.

     
  • Lawrence Akka

    Lawrence Akka - 2002-01-22

    Logged In: YES
    user_id=346996

    php 4.0.6 on Apache/Windows 2k

     
  • Carsten Klapp

    Carsten Klapp - 2002-01-25

    Logged In: YES
    user_id=369655

    I found this problem too when I tried to use http://validator.w3.org/check to check my html, the validator doesn't support cookies.

    You can add this line into index.php to prevent it:
    ini_set('session.use_trans_sid', 0);

    (I've also checked in this modification into the CVS of the developmental version).

     
  • Carsten Klapp

    Carsten Klapp - 2003-11-09

    Logged In: YES
    user_id=369655

    Closing off, mod "ini_set('session.use_trans_sid', 0);" checked into
    index.php by Jeff as the default around 2002-01-25.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.