Re: Cookie not conserved across jump

From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
Date: Sun, 19 Apr 2009 13:43:02 -0400

Puzzled wrote:

On Sun, 19 Apr 2009 16:36:57 +0200,
Michael Fesser <netizen@xxxxxx> wrote:

.oO(Puzzled)

On Sun, 19 Apr 2009 09:37:41 -0400,
Jerry Stuckle <jstucklex@xxxxxxxxxxxxx> wrote:

How do you "jump from one program to another"? There is no jump instruction in PHP (which is good!).

And without any code, it's impossible to tell what you might be doing wrong.
Sorry, I didn't think I needed to specify as there is only one
way to jump...or only one that I know of: header('Location:...')
(if there's more than one, I'd be glad to learn about it/them)

In the WWW this is not considered a jump. You're not jumping anywhere,
but sending the requesting UA (user agent) another URL, which in turn
just leads to another HTTP request. This is called a redirect.

Fair enough. Thanks for the correction.

The code in the first page is:

load_up_session_global() ;
build_and_cache_version_1() ; // at this point, $_SESSION is stocked up with the bits // the v2 page will need
header( 'Location: refresh_version_2.php' ) ;
exit() ;
1) Where's the session_start() call on the first page?

See below. I store sessions in a mysql db, so I've to load the
session routines before calling session_start() ;

2) What do the first two functions do?

load_up_session_global() gets, in part using random db reads, the
specific bits and pieces needed to rebuild new page instances and
stores said bits and pieces into $_SESSION so that all flavors
will be in sync.

build_and_cache_version_1() builds and stores a new image for
the first flavor of the page. refresh_version_2.php has a
comparable routine for building and storing a new image for the
second flavor of the same page, and so on.

3) Are your sessions cookie-based? If you also allow the session ID to
be appended to URLs (which you should not for security reasons), you
would have to manually add the magic constant SID to any redirects.

Yes, they're cookie based.

4) Not related to your problem, but still a bug: The Location header
requires an absolute URL, including scheme and hostname. A relative URL
violates the HTTP spec.

That's interesting, thanks. I wasn't aware that the spec
requires an absolute url.

The first page's main code is, in toto apart from supporting
functions:

<?php define('cDocRoot',$_SERVER['DOCUMENT_ROOT'].'/') ;
require_once( cDocRoot.'Global/incSessions.inc' ) ;
session_start() ;
if ( isset( $_GET['PageStyle'] ) ) set_page_style() ;

require_once( cDocRoot.'Global/incConstants.inc' ) ;
require_once(
cDocRoot.$_SESSION['wPrefsPageStyle'].'/incUtilities_Messages.inc'
) ;

// --------------------------------
// Do we skip showing the frontpage and continue an ongoing
session?
$c = session_get_cookie_params() ;
if ( $c['lifetime'] > 0 ) // if this continues a previous
session
{
header('Location: Entrance.php') ;
}
// --------------------------------
// Rebuild the front pages, if necessary
$fresh = iso_date_num_from_ts() ; // only today's is fresh
$cache_date = db_field( 'page_cache', 'date(LastMod)+0',
'Name="FrontPage" AND
Style="'.$_SESSION['PageStyle'].'"' ) ;
// If stale, refresh for all styles
if (( ! $cache_date ) OR ( $cache_date < $fresh ))
{
require_once( cDocRoot.'CacheRefresher.inc' ) ;
}

// --------------------------------
// Load and go
echo db_field( 'page_cache', 'Body', 'Name="FrontPage" '. 'AND Style="'.$_SESSION['PageStyle'].'"'
).
messages() ;

refresh_version_2.php:

<?php session_start() ;

// examination shows $_SESSION is empty
// and that the cookie is different

A browser just sends the cookies it received before (let aside JS-
created cookies). You can check with Firefox' Live HTTP Headers (or HTTP
Live Headers? Can never remember the exact name ...) extension, which
cookies and other headers were received from the server and which were
sent back.

The part that makes me crazy is that I'm not trying to do
anything fancy here. This is all very simple code, so whatever
it is I'm screwing up must be something that'll make my ears turn
red. Why would session_start() generate a new cookie at all?
What could possibly happen to cause the old one to be discarded?
There's nothing in the docs that I can see.

You said you're using custom session code on the first page - how about on the second?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

References:
- Re: Cookie not conserved across jump
  - From: Jerry Stuckle
- Re: Cookie not conserved across jump
  - From: Michael Fesser

Prev by Date: Re: Cookie not conserved across jump
Next by Date: Re: Static member inheritance, const question
Previous by thread: Re: Cookie not conserved across jump
Next by thread: Re: Cookie not conserved across jump
Index(es):
- Date
- Thread

Relevant Pages

Re: Sessions
... click the link and in aoltest3.php the session variable is visable. ... Registered serializer handlers php php_binary wddx ... session.name PHPSESSID PHPSESSID ... see the PHPSESSID, in a cookie, or in the URL. ...
(comp.lang.php)
[Full-disclosure] Advisory 01/2006: PHP ext/session HTTP Response Splitting Vulnerability
... PHP ext/session HTTP Response Splitting Vulnerability ... PHP applications using PHP5's session extension are ...
(Full-Disclosure)
Advisory 01/2006: PHP ext/session HTTP Response Splitting Vulnerability
... PHP ext/session HTTP Response Splitting Vulnerability ... PHP applications using PHP5's session extension are ...
(Bugtraq)
Strange difference when cookie disappears from $_REQUEST in HTTP vs. WAP
... with how PHP interacts with MySQL, ... Header has been generated to destroy your login session cookie, ... the cookie so it doesn't show up in $_REQUEST. ...
(comp.lang.php)
Re: php session GC error
... After this number of seconds, stored data will be seen as 'garbage' ... how do I explicitly tell PHP in the ini what directory to use for session ... Lifetime in seconds of cookie or, if 0, until browser is restarted. ...
(php.general)