Latest News: (loading..)
Issue Information
-
#000465
-
3 - Medium
-
Fixed
-
2.3.1
-
2.3.3
Issue Confirmations
-
Yes (0)No (0)
0
I think this is an error, it took me many hours to detect.
When you call oscommerce in your browser and the session id is not stored yet in a cookie so visible in your url, recreate session = TRUE and SSL = TRUE, and you create an account, the redirect to "account succesfull created" uses the previous session id, so you are not logged in because customer_id in the new session is not set. Same situation in other places where the session is recreated.
Why when SSL = TRUE: because without SSL only the first call to oscommerce has no session id stored in a cookie, with SSL the first click on a link has still no session id in a cookie (the second has).
When you call oscommerce in your browser and the session id is not stored yet in a cookie so visible in your url, recreate session = TRUE and SSL = TRUE, and you create an account, the redirect to "account succesfull created" uses the previous session id, so you are not logged in because customer_id in the new session is not set. Same situation in other places where the session is recreated.
Why when SSL = TRUE: because without SSL only the first call to oscommerce has no session id stored in a cookie, with SSL the first click on a link has still no session id in a cookie (the second has).
I think this is the solution :
The old contents of function in /includes/functies/session.php
function tep_session_recreate() {
if (PHP_VERSION >= 4.1) {
$session_backup = $_SESSION;
unset($_COOKIE[tep_session_name()]);
tep_session_destroy();
if (STORE_SESSIONS == 'mysql') {
session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
}
tep_session_start();
$_SESSION = $session_backup;
unset($session_backup);
}
}
The extra statements for the fix (B+U):
function tep_session_recreate() {
global $SID;
if (PHP_VERSION >= 4.1) {
$session_backup = $_SESSION;
unset($_COOKIE[tep_session_name()]);
tep_session_destroy();
if (STORE_SESSIONS == 'mysql') {
session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
}
tep_session_start();
$_SESSION = $session_backup;
unset($session_backup);
if ($SID) {
$SID = tep_session_id();
}
}
So now the new $SID is set for the next redirect (url) (as long as the session id is not stored in a cookie)..
The old contents of function in /includes/functies/session.php
function tep_session_recreate() {
if (PHP_VERSION >= 4.1) {
$session_backup = $_SESSION;
unset($_COOKIE[tep_session_name()]);
tep_session_destroy();
if (STORE_SESSIONS == 'mysql') {
session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
}
tep_session_start();
$_SESSION = $session_backup;
unset($session_backup);
}
}
The extra statements for the fix (B+U):
function tep_session_recreate() {
global $SID;
if (PHP_VERSION >= 4.1) {
$session_backup = $_SESSION;
unset($_COOKIE[tep_session_name()]);
tep_session_destroy();
if (STORE_SESSIONS == 'mysql') {
session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
}
tep_session_start();
$_SESSION = $session_backup;
unset($session_backup);
if ($SID) {
$SID = tep_session_id();
}
}
So now the new $SID is set for the next redirect (url) (as long as the session id is not stored in a cookie)..
Thanks for the report! This has been fixed with:
https://github.com/osCommerce/oscommerce2/commit/c9e52a3d2801b09057e6b3f6dbca8cef311ec73c
tep_session_recreate() now uses session_regenerate_id(true) from PHP 5.1+.
https://github.com/osCommerce/oscommerce2/commit/c9e52a3d2801b09057e6b3f6dbca8cef311ec73c
tep_session_recreate() now uses session_regenerate_id(true) from PHP 5.1+.
