Warning: Unknown: Your script possibly relies on a session side-effect which exi

[megetron]

Hi,

I have an old code from 2004 and I would like to update it to use new Session object.

That means instead of session_register using the $_SESSION super global variable.

The main reason for this change is that wheneve I logged out from the software I get:

 

Warning: Unknown: Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively in Unknown on line 0

 

 

 

 

Spo I replace my old code:

    <?php

    session_name("MySite");

    session_start();

    reset ($_GET);

   

 

   

 

 

    session_register("ADMIN");

    session_register("ADMINNAME");

    session_register("MAIL") ;

 

 

  $USERCOOKIE_FOR_TRACKING = array();

 

//to get all session variables

    foreach ($_SESSION as $key => $value)

    { 

          $value=stripslashes(trim($value));   

          $$key=$value;         

    } 

?>

 

with this new code:

 

 

    <?php

    session_name("MySite");

    session_start();

    reset ($_GET);

   

 

   

 

 

    $_SESSION['ADMIN']="";

    $_SESSION['ADMINNAME']="";

    $_SESSION['MAIL']="";

 

 

  $USERCOOKIE_FOR_TRACKING = array();

 

//to get all session variables

    foreach ($_SESSION as $key => $value)

    { 

          $value=stripslashes(trim($value));   

          $$key=$value;         

    } 

?>

 

 

 

 

 

BUT now I cannot login to the software any more.

looks like I am doing something wrong here.

 

please tell me how do I upgrade my code.

Thank you.

[AyKay47]

What $_GET values are available in that script?

Also, there's no point in reset()ing $_GET

Basically this error occurs when attempting to directly transfer global variables into the $_SESSION array when register_globals is off

[PFMaBiSmAd]

Did you do what the error message suggested -

 

You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively

[megetron]

What $_GET values are available in that script?

Also, there's no point in reset()ing $_GET

Basically this error occurs when attempting to directly transfer global variables into the $_SESSION array when register_globals is off

the script is included in many files that used by the softwre. the purpose of the script is to set the sessions, so it can be used in many places in the software as a global.

 

I am not sure what $_GET is all about, but with _GET method I  dont have any issues, so I will not change it in the meantime.

 

 

 

 

Did you do what the error message suggested -

 

You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively

I tried to disable this by the .htaccess file n many ways but the error still exist.

 

But according to article I read, using session_register removed from php 4.2 because it is not secured, so I really need a security with my application and it is important for me to not stay behind in technology and security that php 5 offer.

 

so I choose not to change the .htaccess file, and insead I would like to fix it so php5 will approve my code by default.

 

 

what should I do to make this happen?

 

Thank you for replies.

 

[AyKay47]

you can use .htacces

 

php_flag session.bug_compat_42 1
php_flag session.bug_compat_warn 0

 

or php.ini

 

session.bug_compat_42 = 1
session.bug_compat_warn = 0

 

 

[scootstah]

Instead of this:

  //to get all session variables
    foreach ($_SESSION as $key => $value)
    { 
          $value=stripslashes(trim($value));   
           $$key=$value;           
    }

 

You can just do:

extract($_SESSION);

[megetron]

If in the new version of php object $_SESSION does a self register, so I can remove the session_register.

according to your suggestion I have combined a new code (without changing php.ini ot .htaccess):

    <?php

    session_name("MySite");

    session_start();

    reset ($_GET);

 

  $USERCOOKIE_FOR_TRACKING = array();

//to get all session variables

  extract($_SESSION); // FOR NEW VERSION

?>

 

it looks good and updated to the new version of php.

 

Can you please review the code? this is a very important section as all of my website is using this file and tracking stuff.

if my changes can harm other parts of my code please l would like to know what you think risks are.

as for QA I am doing it right now.

 

 

Thankl you guys!

 

[scootstah]

The only thing is, is that you are essentially re-creating register globals. Which means you still suffer all of the problems from register globals. I realize (and hope) you are only doing this sort of thing with the $_SESSION array, but I feel it could still lead to unexpected bugs which may threaten the security of your application.

 

It is a band-aid for outdated code, nothing more. The correct thing to do is go through the entire code base and update it as such that it no longer relies on register globals.

[DavidAM]

Neither extract(), nor your original code changes, is going to make the site work. extract() is a one-way process. While it will create the "session" variables in global scope (such as $ADMINNAME), it is not linked to the session, so any script that modifies $ADMINNAME or tries to assign a value to it, is not affecting the session value, which means it will revert to the old value on the next page load. This process will also not pickup any "session" variables that are created in other scripts.

 

My recommendation is to setup the site on a development machine, turn on full error reporting, and start fixing the "undefined variable" errors.

 

I think the closest you can get to replicating the behavior would be to "reference" the $_SESSION values:

 

    foreach ($_SESSION as $key => $value)
    { 
           $$key = &$_SESSION[$key];  // Note the & that makes the new variable a reference
    } 

 

Then everywhere (in all scripts) that there is a session_register() call, change it to:

 

session_register("ADMIN");
$ADMIN = &$_SESSION["ADMIN"];  // Again with the & to make it a reference

 

I have never tested this, and I'm not 100% sure that it will make the site 100% functional. I also Do Not Recommend Doing This. But that is my best guess at how to make things happen.