Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Warning: session.auto_start is enabled - please disable this php feature in php.ini and restart the web server.


HolmesHustle

Recommended Posts

Ok So I am getting this error message on first run after install:

 

Warning: session.auto_start is enabled - please disable this php feature in php.ini and restart the web server.

 

then upon going to another page or refresh or anything it gives:

 

Fatal error: Unknown(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition navigationhistory of the object you are trying to operate on was loaded _before_ the session was started in /home/onestoph/public_html/shop/includes/application_top.php on line 309

 

im assuming due to the fact of the session auto_start....

 

 

ok so i send in a support ticket and this is what i get:

 

 

 

"Hi Chris,

 

I just received word from the data centre. Server Admin will not disable auto start session.

 

Disabling auto start session is a severe security risk. According to server admin for the reasons stated below :

 

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network.

 

Thanks,

Cheryl"

 

 

 

soo i sent back another creative message and got this back:

 

"Hi Chris,

 

I'm sorry, but I cannot give you an exact date for php5. I have sent 3 tickets to the data centre, and the last one stated they could not provide a definate date as to the installation.

 

As for your problem with session.autostart the data centre will not disable this feature because it will put "everyone" on the server at risk. I'm sorry this is not the news you wished to hear. However, you might be able to disable this feature through htaccess or by editing your application_top.php file in your oscommerce folder. Oscommerce forums have alot of useful information regarding this. You might also do a search google as well.

 

Thanks,

Cheryl"

 

...soooo what to do, what....to...do!!!

Link to comment
Share on other sites

  • 5 months later...
  • 5 weeks later...

CXLII. Session Handling Functions Introduction Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site.

 

A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.

 

The session support allows you to register arbitrary numbers of variables to be preserved across requests. When a visitor accesses your site, PHP will check automatically (if session.auto_start is set to 1) or on your request (explicitly through session_start() or implicitly through session_register()) whether a specific session id has been sent with the request. If this is the case, the prior saved environment is recreated.

 

Caution If you do turn on session.auto_start then you cannot put objects into your sessions since the class definition has to be loaded before starting the session in order to recreate the objects in your session.

 

All registered variables are serialized after the request finishes. Registered variables which are undefined are marked as being not defined. On subsequent accesses, these are not defined by the session module unless the user defines them later.

 

Warning Some types of data can not be serialized thus stored in sessions. It includes resource variables or objects with circular references (i.e. objects which passes a reference to itself to another object).

 

Note:
Session handling was added in PHP 4.0.

 

Note:
Please note when working with sessions that a record of a session is not created until a variable has been registered using the
function or by adding a new
to the $_SESSION superglobal array. This holds true regardless of if a
has been started using the
function.

 

<h1 class="section">Sessions and security</h1> External links: Session fixation

 

The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

 

Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

 

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users.

 

<h1 class="section">Requirements</h1>No external libraries are needed to build this extension.

 

Note:
Optionally you can use shared memory allocation (mm), developed by Ralf S. Engelschall, for
storage. You have to download
and install it. This option is not available for Windows platforms. Note that the
storage module for mm does not guarantee that concurrent accesses to the same session are properly locked. It might be more appropriate to use a shared memory based
(such as tmpfs on Solaris/Linux, or /dev/md on BSD) to store sessions in files, because they are properly locked. Session data is stored in memory thus web server restart deletes it.

 

<h1 class="section">Installation</h1> Session support is enabled in PHP by default. If you would not like to build your PHP with session support, you should specify the --disable-session option to configure. To use shared memory allocation (mm) for session storage configure PHP --with-mm[=DIR] .

 

The windows version of PHP has built in support for this extension. You do not need to load any additional extension in order to use these functions.

 

Note:
By default, all data related to a particular
will be stored in a
in the directory specified by the session.save_path INI option. A
for
(regardless of if any data is associated with that session) will be created. This is due to the fact that a session is opened (a
is created) but no data is even written to that file. Note that this behavior is a side-effect of the limitations of working with the
and it is possible that a custom
handler (such as one which uses a database) does not keep track of sessions which store no data.

 

Link to comment
Share on other sites

If you get something like "Warning: session_start():"... then your PHP is misconfigured. You probably need to set session.save_path correctly (on linux / unix "session.save_path /tmp" is a good choice). And / or you need to configure the session.save_handler correctly ("session.save_handler files" is a good choice). These settings are in php.ini of your PHP installation and you need to restart the webserver after the changes. You may be able to set the necessary PHP session variables without altering your main php.ini file by placing configuration directives in your Gallery directory's .htaccess file (Reference).

Link to comment
Share on other sites

  • 10 months later...
I added:

 

 

php_value session.auto_start

 

to .htaccess and it seemed to fix it however im not completly sure

 

Put "session.auto_start = Off" in your php.ini. If you don't have a php.ini file, create a new file in the root directory of your website, call it php.ini and add that line.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...