5

I have a session variable that I set like this:

<?php
$token = md5(uniqid(rand(), true));
session_start();
$_SESSION['token'] = $token;
print $_SESSION['token'];
?>

Then on another page I have this:

<?php
session_start();
print $_SESSION['token'];
?>

The problem is that they don't match. I get two completely different strings. register_globals is off. I did notice that when I set md5(....) to a constant string eg: md5('example') that it works as expected and the two strings match. But that shouldn't matter. Any ideas on what's going on here?

EDIT: Apache Acces Log:

127.0.0.1 - - [18/Sep/2010:17:46:09 -0500] "GET /index.php HTTP/1.1" 200 3182 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"
127.0.0.1 - - [18/Sep/2010:17:46:09 -0500] "GET /style/style.css HTTP/1.1" 304 - "http://cmb.local:8888/index.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"
127.0.0.1 - - [18/Sep/2010:17:46:09 -0500] "GET /js/signup.js HTTP/1.1" 304 - "http://cmb.local:8888/index.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"
127.0.0.1 - - [18/Sep/2010:17:46:09 -0500] "GET /index.php HTTP/1.1" 200 3182 "http://cmb.local:8888/index.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"
127.0.0.1 - - [18/Sep/2010:17:46:10 -0500] "GET /index.php HTTP/1.1" 200 3182 "http://cmb.local:8888/index.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"

I'm not quite sure how to read that but it looks to me that my file (index.php which I assume is the '/') is being called three times. Am I reading that right? What's going on there?

williamg
  • 2,738
  • 6
  • 34
  • 48
  • I can't reproduce this behaviour. Check your access logs, and give some more details about the environment you are using. It's obvious that the code provided isn't the entire system, you are probably resetting that token in another place. – Josh K Sep 18 '10 at 21:59
  • Some browser plugins are known to cause the behaviour that several requests are sent instead of one. – James Sep 18 '10 at 22:28
  • @Josh K I'm not...both pages are static for now. The only thing that gets set or changes is the token and that only happens in one place as shown above. – williamg Sep 18 '10 at 22:31
  • @James And no browser plugins, also all other pages on my site receive only one request. – williamg Sep 18 '10 at 22:32

4 Answers4

3

Completely stupid mistake on my part. I had some empty <img> tags in there that were causing the extra requests. facepalm Sorry everyone, problem solved. Thanks for your help!!

williamg
  • 2,738
  • 6
  • 34
  • 48
2

The only solution I can think of is that you are making a second request to the first page without knowing it. You should probably check your apache access log for this second access...

Making a simple request counter would be another solution to check this:

$_SESSION['counter'] = isset($_SESSION['counter'])? $_SESSION['counter'] +1 : 0;
greg0ire
  • 22,714
  • 16
  • 72
  • 101
  • Yep...that's the problem. When I put this code in there I get 2. I can't figure out why though... It's a static page except for the token part. No looping, updating content, etc... – williamg Sep 18 '10 at 22:08
  • I posted my Apache Access log above. – williamg Sep 18 '10 at 22:20
  • you mean each time you refresh the page, 2 is added instead of one? You see 2, 4, 6, etc ? Do you have any special extension in your browser? Like HTML validator for firefox? – greg0ire Sep 18 '10 at 22:25
  • Actually it goes up by 3 (3, 6, 9...) No extensions that I know of...plain old Chrome. – williamg Sep 18 '10 at 22:30
  • See here how to add the referer and User-agent to your access log : http://httpd.apache.org/docs/2.0/logs.html#page-header (might be useful) – greg0ire Sep 18 '10 at 22:38
  • Updated access log above with header and user-agent info, but I still don't get why the page is being requested 3 times. – williamg Sep 18 '10 at 22:50
  • No difference between the user-agents, this means all request are issued from your browser... how about testing with another browser to see if the problem comes from Chrome? – greg0ire Sep 18 '10 at 23:00
  • really?!? I guess it must be your js script then... could you post its content? Perhaps it makes some ajax calls or something. – greg0ire Sep 19 '10 at 10:07
2

You will notice that every time you revisit the first page, your session variable will change. Since it works for a constant string, 'example', I will assume that you revisit page 1 to view what is stored there.

A fix could be checking to ensure that that session variable is not set before you set it again. i.e.

<?php
session_start();
if(!empty($_SESSION['token'])){
    $token = md5(uniqid(rand(), true));
    $_SESSION['token'] = $token;
}
print $_SESSION['token'];
?>

This chunk of code should work as expected.

partoa
  • 900
  • 13
  • 22
1

Looks weird. That first chunk of code that resets the token must have been run again somehow.

vassilis
  • 1,385
  • 1
  • 10
  • 20