session and firefox

graziano

I have a strange session problem with firefox (latest 1.5 version )

I have the following webform


<FORM METHOD="POST" ACTION="send.php" >
<?
session_start();
$secret = md5(uniqid(rand(), true));
$_SESSION['secret'] = $secret; // set the session
$auth = $_SESSION['secret']; 
echo"<input type=\"hidden\" name=\"auth\" value=\"$auth\" /> ";
?>

and on send.php I have this

session_start();
if ( $_POST['auth'] != $_SESSION['secret'] )
{

echo "FAILED";
echo"<sup> ".$_SESSION['secret']."--  ".$_POST['auth']."</sup>";

}
else
{
echo"OK";
}

This is the problem
When I test this form using explorer 6 I receive "OK"
when I test this form using Firefox I receive "FAILED" and
$SESSION['secret'] and $POST['auth'] are NOT the same , because
Firefox generates a new $_SESSION['secret'] when opens send.php (?)
It does NOT happen with internet explorer !

Any idea ?

Thank you
Graziano

ClarkF1

Try putting session_start() before anything else on the form page.

graziano

tried , it didn't help . Let'say that I tried in other 1 million way too ... but perhaps someone can suggest me the 1million and 1 which works fine 🙂

ClarkF1

I just tried it in firefox 1.5.0.7 and it worked.

test.php

<?
session_start();
?>
<FORM METHOD="POST" ACTION="send.php" >
<?
$secret = md5(uniqid(rand(), true));
$_SESSION['secret'] = $secret; // set the session
$auth = $_SESSION['secret'];
echo"<input type=\"hidden\" name=\"auth\" value=\"$auth\" /> ";
?> 
<input type="submit">
</form>

send.php

<?
session_start();
if ( $_POST['auth'] != $_SESSION['secret'] )
{

echo "FAILED";
echo"<sup> ".$_SESSION['secret']."--  ".$_POST['auth']."</sup>";

}
else
{
echo"OK";
}
?>

graziano

could I have some php.ini setting wrong ?

ClarkF1

I can't think of any php.ini setting that would make it work differently in firefox and ie.

HalfaBee

I tried a test with this, and it worked fine.

<? session_start() ?>
<html>
<head>
       <title>Title here!</title>
</head>
<body>
<pre>
<? print_r( $_POST ); print_r( $_SESSION ); ?>

<FORM METHOD="POST" ACTION="send.php" >
<?
$secret = md5(uniqid(rand(), true));
$_SESSION['secret'] = $secret; // set the session
$auth = $_SESSION['secret'];
echo"<input type=\"hidden\" name=\"auth\" value=\"$auth\" /> ";
?>
<input type=submit>
</form>
</body>
</html>

graziano

I found a solution also for me

session_cache_limiter('private_no_expire');
session_cache_expire(15);

exactly before session_start()

For me works ONLY in this way with firefox .

Weedpacket

Do you have some Firefox setting wrong (are you using URL-based session IDs if you've set Firefox to refuse cookies)?

graziano

URL-based session IDs ... i don't know

Firefox is NOT set to refuse cookies