PHP :: Bug #74514 :: 5 session functions incorrectly warn when calling in read-only/getter mode

Bug #74514	5 session functions incorrectly warn when calling in read-only/getter mode
Submitted:	2017-04-29 22:32 UTC	Modified:	2017-06-30 15:37 UTC
From:	spam2 at rhsoft dot net	Assigned:	yohgaki (profile)
Status:	Closed	Package:	Session related
PHP Version:	7.2.0alpha2	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2017-04-29 22:32 UTC] spam2 at rhsoft dot net

Description:
------------
[30-Apr-2017 00:16:55 Europe/Vienna] PHP Warning:  session_name(): Cannot change session name when headers already sent in /Volumes/dune/www-servers/cms/cms/autotests/suite/backend.php on line 40

for *sure* not

line 40 is "$session_name = session_name();"

nobody is asking here for any change

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-04-29 22:51 UTC] daverandom@php.net

-Status: Open +Status: Feedback

[2017-04-29 22:51 UTC] daverandom@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2017-04-29 23:01 UTC] spam2 at rhsoft dot net

just run a CLI script with no session started - the line from te origin report is one of many thousands and it's intention is to work environment independet and get/send the correct cookie for thousands of curl calls

i will rewrite the code now to "ini_get('session.name'); but that don't change the fact that there is some BC change

[2017-04-29 23:05 UTC] spam2 at rhsoft dot net

http://php.net/manual/en/function.session-name.php

> session_name() returns the name of the current session. If name is given, 
> session_name() will update the session name and return the old session name
_____________

$session_name = session_name();

do you see a name given here?

[2017-05-07 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

[2017-05-07 09:06 UTC] spam2 at rhsoft dot net

WTF - did you even read the error message from the initial report and the fact calling the function without parameters is not supposed to write any headers or start a session - i just want the current setting to parse out the session cookie from response headers on that same machine 

However, do what you want, as I said for my use case ini_get is a workaround while it could be prohibited on production machines and when session_name changed the name it is probably no longer the same value

[2017-05-07 14:55 UTC] requinix@php.net

-Status: No Feedback +Status: Analyzed -Assigned To: +Assigned To: yohgaki

[2017-05-07 14:55 UTC] requinix@php.net

Affects master only.
<?php echo " "; session_name();

https://github.com/php/php-src/commit/7f196e321fa464075248eced7d0d2c046b686b24

session_name, session_module_name, session_save_path, session_cache_limiter, and session_cache_expire could all use changes like

- 	if (SG(headers_sent)) {
+	if (name && SG(headers_sent)) {

(which is used now but inconsistently) to allow read-only calls. Also, session_cache_expire has a RETURN_LONG for an active session where the other functions will RETURN_FALSE.

[2017-06-23 23:59 UTC] requinix@php.net

Related To: Bug #74809

[2017-06-24 00:03 UTC] requinix@php.net

-Summary: PHP Warning: session_name(): Cannot change session name when headers already +Summary: 5 session functions incorrectly warn when calling in read-only/getter mode -PHP Version: master-Git-2017-04-29 (Git) +PHP Version: 7.2.0alpha2

[2017-06-30 15:37 UTC] yohgaki@php.net

-Status: Analyzed +Status: Verified

[2017-06-30 15:37 UTC] yohgaki@php.net

It seems current master's session_name() is changed to send cookie even when it shouldn't.


[yohgaki@dev PHP-master]$ ./sapi/cli/php -r 'var_dump($n=session_name("foo"));var_dump(session_name());'
string(9) "PHPSESSID"

Warning: session_name(): Cannot change session name when headers already sent in Command line code on line 1
bool(false)
[yohgaki@dev PHP-master]$ php -v
PHP 7.0.20 (cli) (built: Jun  7 2017 04:59:25) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.20, Copyright (c) 1999-2017, by Zend Technologies
[yohgaki@dev PHP-master]$ php -r 'var_dump($n=session_name("foo"));var_dump(session_name());'
string(9) "PHPSESSID"
string(3) "foo"

[2017-06-30 18:34 UTC] yohgaki@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a2d766503aed619493386a9b4ef8190be62b36f7
Log: Fixed bug #74514 5 session functions incorrectly warn when calling in read-only/getter mode

[2017-06-30 18:34 UTC] yohgaki@php.net

-Status: Verified +Status: Closed

[2017-07-17 09:41 UTC] requinix@php.net

Related To: Bug #74936

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 09:01:32 2024 UTC