Solved

Session-Related Logic Error

Posted on 2010-11-23
20
534 Views
Last Modified: 2013-12-07
I need another pair of eyes on this problem.  I have two scripts identical except for the instruction on line 34.  One works and one does not.  You can install the code here and run it to see the effect in action.  On my server, the apparent error is that the Session array does not hold the "cv" value if the value was generated by rand().

This one works as expected:
<?php // RAY_temp_session_works.php
error_reporting(E_ALL);

// ALWAYS START SESSION UNCONDITIONALLY
session_start();
if (empty($_SESSION["cv"])) $_SESSION["cv"] = '?';

// SET FORM STRING
$str = <<<'EOCAP'
<pre>
<form method="post">
ENTER 'CCC' IN THIS BOX:
<input name="cv" value="" autocomplete="off" />
<input type="submit" />
</form>
EOCAP;

// WAS THE FORM SUBMITTED?
if (!empty($_POST["cv"]))
{
    // SHOW SESSION AND POST
    echo "<pre>";
    echo "SESSION: ";
    var_dump($_SESSION);
    echo "POST: ";
    var_dump($_POST);

    // TEST FOR MATCH
    if ($_POST["cv"] == $_SESSION["cv"]) echo PHP_EOL . 'MATCH';
    if ($_POST["cv"] != $_SESSION["cv"]) echo PHP_EOL . 'NO MATCH';
}

// GET A NEW FIXED VALUE
$cv = '321';

// STORE THE VALUE IN THE SESSION
$_SESSION["cv"] = $cv;

// AND PRODUCE THE FORM
$new = str_replace('CCC', $cv, $str);
echo $new;
var_dump($_SESSION);

Open in new window


This one does not work as expected:
<?php // RAY_temp_session_error.php
error_reporting(E_ALL);

// ALWAYS START SESSION UNCONDITIONALLY
session_start();
if (empty($_SESSION["cv"])) $_SESSION["cv"] = '?';

// SET FORM STRING
$str = <<<'EOCAP'
<pre>
<form method="post">
ENTER 'CCC' IN THIS BOX:
<input name="cv" value="" autocomplete="off" />
<input type="submit" />
</form>
EOCAP;

// WAS THE FORM SUBMITTED?
if (!empty($_POST["cv"]))
{
    // SHOW SESSION AND POST
    echo "<pre>";
    echo "SESSION: ";
    var_dump($_SESSION);
    echo "POST: ";
    var_dump($_POST);

    // TEST FOR MATCH
    if ($_POST["cv"] == $_SESSION["cv"]) echo PHP_EOL . 'MATCH';
    if ($_POST["cv"] != $_SESSION["cv"]) echo PHP_EOL . 'NO MATCH';
}

// GET A NEW RANDOM VALUE
$cv = (string)rand(101, 999);

// STORE THE VALUE IN THE SESSION
$_SESSION["cv"] = $cv;

// AND PRODUCE THE FORM
$new = str_replace('CCC', $cv, $str);
echo $new;
var_dump($_SESSION);

Open in new window


Thanks for your help, ~Ray
0
Comment
Question by:Ray Paseur
  • 9
  • 6
  • 4
20 Comments
 
LVL 13

Expert Comment

by:dsmile
Comment Utility
Are you sure $str is well defined?

$str = <<<'EOCAP'

Parse error: parse error, unexpected T_SL in xxx.php on line 9
0
 
LVL 13

Expert Comment

by:dsmile
Comment Utility
After I corrected that $str, I've got your script run.
And both scripts run fine as designed.

Don't know how your server configured but I suggest that you change each keyname of POST and SESSION that represents cv to different names so that there're no chances that php engine might get confused.
0
 
LVL 108

Author Comment

by:Ray Paseur
Comment Utility
$str = <<<'EOCAP'

This is NOWDOC syntax.  PHP 5.3+
http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.nowdoc

Can you please post a link to where you have the scripts installed?  I would like to observe.  My versions are here:
http://www.laprbass.com/RAY_temp_session_works.php
http://www.laprbass.com/RAY_temp_session_error.php

Thanks, ~Ray
0
 
LVL 13

Expert Comment

by:dsmile
Comment Utility
Sorry, I didn't know that. I'm still using PHP 5.2

I don't have a host so I can't show you my deployment of your scripts.
But when I access your online versions, they still work fine.

I use FF 3.6.12 and IE8.
ray-session-ie.JPG
0
 
LVL 108

Author Comment

by:Ray Paseur
Comment Utility
Interesting.  I deleted my cookies, and reran the test.  It worked correctly on IE8 and failed on FF 3.6.12.  Did you actually test FF 3.6.12?  I noticed that your posted image was IE.

Thanks for your help here.  Still not sure what to make of this.
0
 
LVL 13

Expert Comment

by:dsmile
Comment Utility
Yes I did, Ray, just forgot to attach the screenshot.

If deleting cookies makes it run again, then a little tweak on session configuration in php.ini might help.
Let me know when you find the root cause :)
ray-session-ff.JPG
0
 
LVL 108

Author Comment

by:Ray Paseur
Comment Utility
No, deleting the cookies did not make it run correctly.  I'm mystified.  I've reproduced the failure on a PHP 5.2 server, so I am beginning to think there is something wrong with my installation of FF.
0
 
LVL 11

Accepted Solution

by:
patsmitty earned 500 total points
Comment Utility
For what it's worth, I'm using FF 4.0 Beta 7 and both appear to work fine. See the following:

Supposed Error Script:
 Error Script
Working Script:
 Working Script
0
 
LVL 11

Assisted Solution

by:patsmitty
patsmitty earned 500 total points
Comment Utility
They both work fine in IE7, IE8, and FF 4.0 Beta 7 on my installation:

http://www.patsmitty.com/ExpertsExchange/temp_session_works.php
http://www.patsmitty.com/ExpertsExchange/temp_session_error.php

I am running PHP Version 5.2.14
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 11

Assisted Solution

by:patsmitty
patsmitty earned 500 total points
Comment Utility
And... I just tested it on both servers via FF 3.6.13 and both worked as expected.

Just for giggles, what does your about:config look like for your browser's session settings? Here is mine:
About:Config
0
 
LVL 108

Author Comment

by:Ray Paseur
Comment Utility
Here's mine.
about-config.png
0
 
LVL 108

Author Comment

by:Ray Paseur
Comment Utility
And while it works for you, I am still getting the error from this URL
http://www.laprbass.com/RAY_temp_session_error.php

And I am still amazed!
error.png
0
 
LVL 11

Expert Comment

by:patsmitty
Comment Utility
Do you still get it from my URL Ray, or is it just yours?
http://www.patsmitty.com/ExpertsExchange/temp_session_error.php

If you only get the error on yours then I would assume that your php settings have to be the culprit. But if you get the error on both, then re-install your FF and see if that doesn't fix it.

Could this be a caveat to the good quote: "To err is human, and to blame it on a computer is even more so"?  haha
0
 
LVL 108

Author Comment

by:Ray Paseur
Comment Utility
See attached.  I'm not exactly a novice in computer science and I am completely baffled.  I'm at PHP Version 5.3.4.  This is the only session-related error I have been able to cause.  I'll probably re-install FF, but I sure would like to know how the error is occurring.
patsmitty.png
0
 
LVL 11

Assisted Solution

by:patsmitty
patsmitty earned 500 total points
Comment Utility
Try it again here: http://www.patsmitty.com/ExpertsExchange/temp_session_error.php

I replaced
$cv = (string) rand(101, 999);

Open in new window

with
$cv = '' . rand(101, 999);

Open in new window


Or try this one here (http://www.patsmitty.com/ExpertsExchange/temp_session_error_1.php) where I store the rand() into a variable and then cast that variable into a string:
// GET A NEW RANDOM VALUE
$cv1 = rand(101, 999);
$cv = (string) $cv1;

Open in new window


Shouldn't matter, but it's worth the shot. I can't think of any reason the fixed value would work where the random value wouldn't.

Happy Holidays
0
 
LVL 108

Author Comment

by:Ray Paseur
Comment Utility
temp_session_error.php - NO MATCH
temp_session_error_1.php - NO MATCH

Thanks.  I may take this mystery to the grave.
0
 
LVL 108

Author Closing Comment

by:Ray Paseur
Comment Utility
Never debugged the issue, but it went away when I upgraded Firefox, so I am a happy camper.  @patsmitty: Thanks for your help.  I, too, can't think of any reason the fixed value would work where the random value wouldn't.
0
 
LVL 11

Expert Comment

by:patsmitty
Comment Utility
I guess I just don't understand how the browser could corrupt sessions somehow. Maybe, just maybe a plugin/add-on that you had was interfering. Thanks for the points though.

Cheers
0
 
LVL 108

Author Comment

by:Ray Paseur
Comment Utility
Yeah, I don't understand it either.  Probably something about returning the wrong cookie.  Thanks for your help just the same!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now