Yesterday I searched almost all topics about php sessions, I looked over manual and it still didn’t work. I stayed up very late because of that.
Scenario is: I log in using standard html form. My session is populated with some variables and it work fine. Then I use Flash uploadify to upload some photos and I pass with parametrs – PHPSESSID. My php script does not recognize session. It sees it as empty. Then I try to get that session with different client such as Firefox or Opera and it is empty too. Then I try to get that session with different Chrome tab and it works
As you see my only protection is by IP. I don’t scan other things so this should work when good PHPSESSID is passed and client IP is matching regardless of client type, version etc.
This is init_session.php, file I include everytime at the begining of other files. Therefore I know that Session ID is beeing passed with Flash. But then session is empty.
Directory is set on the top, and path is direct so there shouldn’t be any problems with that. It also doesn’t work when save path is default. I also turned of session autostart and session use only cookies. It didn’t change a thing except I need to set cookie manually.
Is there something here I can try? I think I ran out of options.
EDIT:
I forgot about most importat thing i think that turning off suhosin.session.cryptua will resolve case but i can’t turn it off using ini_set, is there any other way? It seems that this option encrypts session using user-agent field wich would be the case.
ini_set('session.auto_start', '0');
ini_set('session.save_path','/public_html/nowy/tmp');
if (isset($_POST["PHPSESSID"])) {
session_id($_POST["PHPSESSID"]);
} elseif (isset($_COOKIE['PHPSESSID'])) {
session_id($_COOKIE["PHPSESSID"]);
} elseif (isset($_GET["PHPSESSID"])) {
session_id($_GET["PHPSESSID"]);
}
session_start();
setcookie("PHPSESSID", session_id(), time()+3600, "/");
if (!isset($_SESSION['user'])) {
$_SESSION['user'] = 0;
}
if (!isset($_SESSION['initiate'])) {
session_regenerate_id();
$_SESSION['initiate'] = true;
$_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
}
echo ini_get('session.save_path').'<br />';
echo $_POST["PHPSESSID"];
print_r($_SESSION);
RESOLVED
This problem has been solved. I couldn’t set cryptua off because I needed to copy oryginal php5.ini and replace some variables to get it working.
The problem was as expected suhosin.session.cryptua
As Frode suggested in his comment I’m leaving this as an answer.
This can happen when using any flash script, not just uploadify. Any other flash uploader such as
SWFUploadwon’t get the session unless user-agent field is the same.This happens when your server has
suhosinpatch installed but it seems that sometimes this problem doesn’t occur even when settingsuhosin.session.cryptuais enabled asalecgorgesuggested. Although I am not convinced about that. Of course you can pass to flash this variable using php scripts to uncover user-agent of user browser and then flash can disguise himself as the same browser but it’s not elegant solution and I don’t know actionscript so I can’t say if flash can actually do it.Very important:
There are actually two settings that can fix this security patch.
If the first one is disabled then session is not encrypted at all so problem won’t occur. It’s not recommended to disable this. If we disable only the second one then session will be encrypted but encryption won’t relay on user-agent field. This means that any browser or http client can get any session. Therefore it’s recommended to put some other security fields. Suhosin can handle also session ip protection so I recommend to enable
suhosin.session.cryptraddr. Other settings can be found here:Suhosin configuration
To resolve this issue I suggest:
suhosin.session.cryptuaandsuhosin.session.encryptare enabled then copy existing and working php.ini. It’s on the top of php info page:Loaded Configuration File /public_html/php5.ini