[Done 156A]PHP Warning: session_id(): Cannot change session id when session is active

[davewest]

New xampp install to php7.3 first time install of ZC156 with php7.3

Server OS: Linux 4.4.0-140-generic
HTTP Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/7.3.0 mod_perl/2.0.8-dev Perl/v5.16.3
PHP Version: 7.3.0 (Zend: 3.3.0-dev)
Database Engine: MySQL 5.5.5-10.1.37-MariaDB

Zen Cart 1.5.6
Database Patch Level: 1.5.6
v1.5.6 [2018-12-17 07:04:49] (New Installation-v156)

Each time during admin login I get this error log created..

Code:

[17-Dec-2018 19:08:38 Europe/Berlin] Request URI: /public_html/zencart156/ADMIN/login.php?camefrom=index.php, IP address: 127.0.0.1
#1  session_id() called at [/public_html/zencart156/includes/functions/sessions.php:178]
#2  zen_session_recreate() called at [/public_html/zencart156/ADMIN/includes/functions/admin_access.php:421]
#3  zen_validate_user_login() called at [/public_html/zencart156/ADMIN/login.php:35]
[17-Dec-2018 19:08:38 Europe/Berlin] PHP Warning:  session_id(): Cannot change session id when session is active in /public_html/zencart156/includes/functions/sessions.php on line 178

[17-Dec-2018 19:08:38 Europe/Berlin] Request URI: /public_html/zencart156/ADMIN/login.php?camefrom=index.php, IP address: 127.0.0.1
#1  session_id() called at [/public_html/zencart156/includes/functions/sessions.php:179]
#2  zen_session_recreate() called at [/public_html/zencart156/ADMIN/includes/functions/admin_access.php:421]
#3  zen_validate_user_login() called at [/public_html/zencart156/ADMIN/login.php:35]
[17-Dec-2018 19:08:38 Europe/Berlin] PHP Warning:  session_id(): Cannot change session id when session is active in /public_html/zencart156/includes/functions/sessions.php on line 179

Cart side works fine, no products loaded in database yet...

commenting out lines 178, 179 in includes/functions/sessions.php stops the log file creation!!!! Unsure of affects down-line still testing!

[davewest]

The logs are not created under PHP7.2, just 7.3 with Recreate Session true in admin session settings. With recreate off or false, no logs. commenting out lines 178 and 179 also no logs.. there was some bug fixes in php7.3 on session_id() and sessions in general for Session Data Injection Vulnerability, Bug #72681 But I've not had time to really dig into the changes.... something to look into later..

I'm not sure why lines 178, 179 are there for yet... but.. In tracking session ID, it is getting recreated after login so I don't see any issue with the code, thinking more a change in php session_id()..

The kicker is, it's just warnings, not taking the site down so maybe something to look at is the use of session_id() with PHP7.3 when time permits..

[DrByte]

commenting out lines 178, 179 in includes/functions/sessions.php stops the log file creation!!!!

At first glance I don't think we want to remove both of those lines.

Things to test:
Do customers and administrators lose any data between http vs https when logging in between http/https? Are cart contents lost when shopping?
If the site is configured with HTTP_SERVER and HTTPS_SERVER both being identical, does session data (cart contents is a good example) remain before/after login?

[davewest]

At first glance I don't think we want to remove both of those lines.

Things to test:
Do customers and administrators lose any data between http vs https when logging in between http/https? Are cart contents lost when shopping?
If the site is configured with HTTP_SERVER and HTTPS_SERVER both being identical, does session data (cart contents is a good example) remain before/after login?

Test site is full https and warnings are logging on both customer and admin login with session recreate set to true..

if I'm understanding this right.. session_id() is used to get or set the session id for the current session.

Code:

        $saveSession = $_SESSION;     //saving session data
        $oldSessID   = session_id();  //get old session ID        
        session_regenerate_id();      //regenerating new session ID        
        $newSessID = session_id();    //get new session ID
        session_id($oldSessID);    //??setting session ID to old one???
        session_id($newSessID);    //??setting session ID to new one??
        $_SESSION = $saveSession;    //restoring session data

Then setting the session id two more times would flag warnings for each which is what the log file is telling me.. From what I've read so far, this was silently failing in past versions of php and changed with 7.3..

Commenting out the two lines is working so far, but agree more testing is needed.... well change the site to http/https and see what happens.

[DrByte]

After some testing, for now I think the most compatible fix is indeed changing the 2 lines that davewest originally proposed above.

Here it is on github: https://github.com/zencart/zencart/c...b8508e6fcf3d6c

[hairydog]

After some testing, for now I think the most compatible fix is indeed changing the 2 lines that davewest originally proposed above.

Here it is on github: https://github.com/zencart/zencart/c...b8508e6fcf3d6c

Unfortunately, that fix seems to be included in the 1.5.6c code, but I'm still getting this warning on php7.3
--> PHP Warning: session_id(): Cannot change session id when session is active in /srv/domain.co.uk/public/htdocs/includes/modules/pages/payer_auth_verifier/header_php.php on line 55.

[hairydog]

Am I the only person with this problem?

[swguy]

@drbyte and @davewest - great job, guys.

@hairydog - likely no but since it's just a warning, and many people completely ignore warnings, it's hard to say.

[hairydog]

I'm never comfortable with ignoring warnings, but there seems to be little alternative.

[davewest]

I'm never comfortable with ignoring warnings, but there seems to be little alternative.

You may need to give more hints... like what payment system are you using.. authorizing or verifying.. I'm not having any issues with Square or checks on ZC156c and php7.3.11.. I'm not sure how payer_auth_verifier is called/used .