Jump to content



Issue Information

  • #000465

  • 3 - Medium

  • Fixed

  • 2.3.1

  • 2.3.3

Issue Confirmations

  • Yes (0)No (0)
Photo

Session error (recreate session + ssl)

Posted by francois01 on 14 July 2012 - 03:24

I think this is an error, it took me many hours to detect.

When you call oscommerce in your browser and the session id is not stored yet in a cookie so visible in your url, recreate session = TRUE and SSL = TRUE, and you create an account, the redirect to "account succesfull created" uses the previous session id, so you are not logged in because customer_id in the new session is not set. Same situation in other places where the session is recreated.

Why when SSL = TRUE: because without SSL only the first call to oscommerce has no session id stored in a cookie, with SSL the first click on a link has still no session id in a cookie (the second has).

I think this is the solution :

The old contents of function in /includes/functies/session.php

function tep_session_recreate() {
if (PHP_VERSION >= 4.1) {
$session_backup = $_SESSION;

unset($_COOKIE[tep_session_name()]);

tep_session_destroy();

if (STORE_SESSIONS == 'mysql') {
session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
}

tep_session_start();

$_SESSION = $session_backup;
unset($session_backup);
}
}

The extra statements for the fix (B+U):

function tep_session_recreate() {
global $SID;
if (PHP_VERSION >= 4.1) {
$session_backup = $_SESSION;

unset($_COOKIE[tep_session_name()]);

tep_session_destroy();

if (STORE_SESSIONS == 'mysql') {
session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
}

tep_session_start();

$_SESSION = $session_backup;
unset($session_backup);

if ($SID) {
$SID = tep_session_id();
}

}

So now the new $SID is set for the next redirect (url) (as long as the session id is not stored in a cookie)..

changed severity to: 3 - Medium
changed status to: Confirmed

changed status to: Fixed
changed fixed-in version to: 2.3.3

Thanks for the report! This has been fixed with:

https://github.com/o...bca8cef311ec73c

tep_session_recreate() now uses session_regenerate_id(true) from PHP 5.1+.