php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74514 5 session functions incorrectly warn when calling in read-only/getter mode
Submitted: 2017-04-29 22:32 UTC Modified: 2017-06-30 15:37 UTC
From: spam2 at rhsoft dot net Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 7.2.0alpha2 OS: Linux
Private report: No CVE-ID: None
 [2017-04-29 22:32 UTC] spam2 at rhsoft dot net
Description:
------------
[30-Apr-2017 00:16:55 Europe/Vienna] PHP Warning:  session_name(): Cannot change session name when headers already sent in /Volumes/dune/www-servers/cms/cms/autotests/suite/backend.php on line 40

for *sure* not

line 40 is "$session_name = session_name();"

nobody is asking here for any change


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-29 22:51 UTC] daverandom@php.net
-Status: Open +Status: Feedback
 [2017-04-29 22:51 UTC] daverandom@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.


 [2017-04-29 23:01 UTC] spam2 at rhsoft dot net
just run a CLI script with no session started - the line from te origin report is one of many thousands and it's intention is to work environment independet and get/send the correct cookie for thousands of curl calls

i will rewrite the code now to "ini_get('session.name'); but that don't change the fact that there is some BC change
 [2017-04-29 23:05 UTC] spam2 at rhsoft dot net
http://php.net/manual/en/function.session-name.php

> session_name() returns the name of the current session. If name is given, 
> session_name() will update the session name and return the old session name
_____________

$session_name = session_name();

do you see a name given here?
 [2017-05-07 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2017-05-07 09:06 UTC] spam2 at rhsoft dot net
WTF - did you even read the error message from the initial report and the fact calling the function without parameters is not supposed to write any headers or start a session - i just want the current setting to parse out the session cookie from response headers on that same machine 

However, do what you want, as I said for my use case ini_get is a workaround while it could be prohibited on production machines and when session_name changed the name it is probably no longer the same value
 [2017-05-07 14:55 UTC] requinix@php.net
-Status: No Feedback +Status: Analyzed -Assigned To: +Assigned To: yohgaki
 [2017-05-07 14:55 UTC] requinix@php.net
Affects master only.
<?php echo " "; session_name();

https://github.com/php/php-src/commit/7f196e321fa464075248eced7d0d2c046b686b24

session_name, session_module_name, session_save_path, session_cache_limiter, and session_cache_expire could all use changes like

- 	if (SG(headers_sent)) {
+	if (name && SG(headers_sent)) {

(which is used now but inconsistently) to allow read-only calls. Also, session_cache_expire has a RETURN_LONG for an active session where the other functions will RETURN_FALSE.
 [2017-06-24 00:03 UTC] requinix@php.net
-Summary: PHP Warning: session_name(): Cannot change session name when headers already +Summary: 5 session functions incorrectly warn when calling in read-only/getter mode -PHP Version: master-Git-2017-04-29 (Git) +PHP Version: 7.2.0alpha2
 [2017-06-30 15:37 UTC] yohgaki@php.net
-Status: Analyzed +Status: Verified
 [2017-06-30 15:37 UTC] yohgaki@php.net
It seems current master's session_name() is changed to send cookie even when it shouldn't.


[yohgaki@dev PHP-master]$ ./sapi/cli/php -r 'var_dump($n=session_name("foo"));var_dump(session_name());'
string(9) "PHPSESSID"

Warning: session_name(): Cannot change session name when headers already sent in Command line code on line 1
bool(false)
[yohgaki@dev PHP-master]$ php -v
PHP 7.0.20 (cli) (built: Jun  7 2017 04:59:25) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
    with Zend OPcache v7.0.20, Copyright (c) 1999-2017, by Zend Technologies
[yohgaki@dev PHP-master]$ php -r 'var_dump($n=session_name("foo"));var_dump(session_name());'
string(9) "PHPSESSID"
string(3) "foo"
 [2017-06-30 18:34 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a2d766503aed619493386a9b4ef8190be62b36f7
Log: Fixed bug #74514 5 session functions incorrectly warn when calling in read-only/getter mode
 [2017-06-30 18:34 UTC] yohgaki@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 09:01:30 2024 UTC