I just hit the issue of a PHP program which used to run happily failing with an error at the PHP session_start() function. A spot of Googling (and the phpinfo() function) confirms that SUSE have disabled session support in their recent PHP builds. I found a thread on the issue on the SUSE-English list which quickly dissolved into a rant, but not before someone said it was a security thing. I found the same question and answer in other places, but couldn't find anything further. So, two requests for information: 1) What can I read which tells me why PHP sessions are a security problem? 2) What can I read which tells me what I need to do to make my PHP program work again?
On Monday, 18 October 2004 03.40, Derek Fountain wrote:
I just hit the issue of a PHP program which used to run happily failing with an error at the PHP session_start() function. A spot of Googling (and the phpinfo() function) confirms that SUSE have disabled session support in their recent PHP builds. I found a thread on the issue on the SUSE-English list which quickly dissolved into a rant, but not before someone said it was a security thing. I found the same question and answer in other places, but couldn't find anything further.
So, two requests for information:
1) What can I read which tells me why PHP sessions are a security problem?
2) What can I read which tells me what I need to do to make my PHP program work again?
Doesn't it work if you install php4-session.rpm? Seems to work for me
On Monday 18 October 2004 09:42, Anders Johansson wrote:
Doesn't it work if you install php4-session.rpm? Seems to work for me
I'll try sending this to the right list... :o} Er, no! I tried that but it made no difference. That RPM just installs a session library, but phpinfo() tells me that the core was compiled with '--disable-session' which seems to mean the library is ignored. I could be wrong - I'm not too well up on how PHP works internally. What does phpinfo() say about sessions on your system?
On Monday, 18 October 2004 04.00, Derek Fountain wrote:
On Monday 18 October 2004 09:42, Anders Johansson wrote:
Doesn't it work if you install php4-session.rpm? Seems to work for me
I'll try sending this to the right list... :o}
Er, no! I tried that but it made no difference. That RPM just installs a session library, but phpinfo() tells me that the core was compiled with '--disable-session' which seems to mean the library is ignored. I could be wrong - I'm not too well up on how PHP works internally.
Yes it's disabled as a built-in feature, what's in that rpm is an extension. It *should* put an "extension=session.so" line in /etc/php.ini for you when it installs
What does phpinfo() say about sessions on your system?
Nothing beyond what you see with the compile option --disable-session. I know it works though, because I'm using php sessions right now
On Monday 18 October 2004 10:05, Anders Johansson wrote:
Nothing beyond what you see with the compile option --disable-session. I know it works though, because I'm using php sessions right now
Yeah, mine's working now. I'm running php4-4.3.4-43.11 as installed by YOU. I was also running php4-session-4.3.4-43.11 as installed by YOU, but that stopped sessions working. Backing out to php4-session-4.3.4-26 makes it work again. Strange, you'd have thought it would *break* running two different versions, not fix things! I guess we're wandering a bit off topic now, but can you check which versions of the packages you're running?
On Monday, 18 October 2004 04.23, Derek Fountain wrote:
On Monday 18 October 2004 10:05, Anders Johansson wrote:
Nothing beyond what you see with the compile option --disable-session. I know it works though, because I'm using php sessions right now
Yeah, mine's working now. I'm running php4-4.3.4-43.11 as installed by YOU. I was also running php4-session-4.3.4-43.11 as installed by YOU, but that stopped sessions working. Backing out to php4-session-4.3.4-26 makes it work again. Strange, you'd have thought it would *break* running two different versions, not fix things!
I guess we're wandering a bit off topic now, but can you check which versions of the packages you're running?
php4-4.3.4-43.14 php4-session-4.3.4-43.14 The latest ones from YOU, released last tuesday. 43.11 is older
On Monday 18 October 2004 10:00, Derek Fountain wrote:
On Monday 18 October 2004 09:42, Anders Johansson wrote:
Doesn't it work if you install php4-session.rpm? Seems to work for me Er, no! I tried that but it made no difference. That RPM just installs a session library, but phpinfo() tells me that the core was compiled with '--disable-session' which seems to mean the library is ignored. I could be wrong - I'm not too well up on how PHP works internally.
OK, sorted. You were right: the php4-session RPM makes it work. YOU appears to have upgraded that package without complete upgrades for the whole PHP system. The result was brokeness. Downgrading makes it work, so thanks. Now to work out what the hell YOU did and what it thought it was trying to achieve!
Which SUSE version do you use? ----- Original Message ----- From: "Derek Fountain" <dflists@iinet.net.au> To: <suse-security@suse.com> Sent: Monday, October 18, 2004 4:40 AM Subject: [suse-security] PHP sessions
I just hit the issue of a PHP program which used to run happily failing with an error at the PHP session_start() function. A spot of Googling (and the phpinfo() function) confirms that SUSE have disabled session support in their recent PHP builds. I found a thread on the issue on the SUSE-English list which quickly dissolved into a rant, but not before someone said it was a security thing. I found the same question and answer in other places, but couldn't find anything further.
So, two requests for information:
1) What can I read which tells me why PHP sessions are a security problem?
2) What can I read which tells me what I need to do to make my PHP program work again?
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Monday 18 October 2004 14:43, John wrote:
Which SUSE version do you use?
9.1, but I figured it out. There appears to be a problem with PHP packages which have been updated by YOU. In particular the php session package I was using didn't work with the php package I was using, despite them having the same version number. The YOU mirror I was using was a little out of date. I've installed the very latest packages (built last week) and they work fine. :)
participants (3)
-
Anders Johansson -
Derek Fountain -
John