Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.1.8

Bug #7784 Auth::start() changes session id
Submitted: 2006-06-01 17:21 UTC
From: mikkoh at emedia dot fi Assigned: hirokawa
Status: Closed Package: Auth_HTTP (version 2.1.6)
PHP Version: 5.1.4 OS: Windows XP
Roadmaps: (Not assigned)    
Subscription  


 [2006-06-01 17:21 UTC] mikkoh at emedia dot fi (Mikko Hämäläinen)
Description: ------------ When authenticating with default settings the session id changes after starting the authentication. This can be avoided by setting the option 'sessionSharing' to false, but seems a bit strange for the default behaviour and (imho) should at least be documented. Test script: --------------- // setting the database connection options $AuthOptions = array( 'dsn'=>"mysqli://mylogin:mypass@localhost/davcms", 'table'=>"lauth_user", 'usernamecol'=>"login", 'passwordcol'=>"passwd", 'cryptType'=>"none", ); $a = new Auth_HTTP("DB", $AuthOptions); $a->setRealm('myrealm'); $a->setCancelText('<h2>Error 401</h2>'); echo "Before:".session_id()."<br />"; $a->start(); // starting the authentication process echo "After:".session_id()."<br />"; Expected result: ---------------- Before:jdal6or5qt0uhtgnpngudsmqk7 After:jdal6or5qt0uhtgnpngudsmqk7 Hello username welcome to my secret page Actual result: -------------- Before:jdal6or5qt0uhtgnpngudsmqk7 After:77579319ce2e19fffcca4cefa9e84ddc Hello username welcome to my secret page

Comments

 [2006-07-09 21:56 UTC] drabaal at gmail dot com (drabaal)
This is a pretty annyoing problem. Also noticed it in UNIX environment, and resulted in an always empty session. Suggest the option "sessionSharing" be defaulted to false.
 [2006-10-01 23:23 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send
MANUAL CONFIRMATION IS NOT POSSIBLE.  Write a message to pear-dev@lists.php.net
to request the confirmation link.  All bugs/comments/patches associated with this

email address will be deleted within 48 hours if the account request is not confirmed!