PHP :: Request #15960 :: GET-style session fallback -- Incessant asking for cookie

Request #15960	GET-style session fallback -- Incessant asking for cookie
Submitted:	2002-03-08 13:05 UTC	Modified:	2002-03-08 14:19 UTC
From:	nielsene at mit dot edu	Assigned:
Status:	Closed	Package:	Feature/Change Request
PHP Version:	4.1.2	OS:	RH Linux 7.2
Private report:	No	CVE-ID:	None

View Developer Edit

[2002-03-08 13:05 UTC] nielsene at mit dot edu

This may be a documentation clarification issue, or it may be a session bug.  In either case this seems like the most beneign way to report it.

I've searched the on-line bug and email archives as well as read the annotated documentation and I can't tell if this is the normal, expected behavoir or not:

On page1.php I use session_start(), reject the cookie
follow a link to page2.php (the PHPSESSID was properly appended)

On arrival at page2.php I am again prompted to accept/reject the cookie.  I understand that choosing prompt/always/never is a browser/user decision, but shouldn't session_start detect that a session exists and that the cookie was rejected and not keep bugging the user?  (Is this a bug or a feature request?)

Eric Nielsen

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-03-08 13:44 UTC] sniper@php.net

So you're saying that PHP sends the cookie even
if the PHPSESSID was in the GET request?

This doesn't happen to me with latest CVS..
So you could try a snapshot from http://snaps.php.net/

--Jani

[2002-03-08 13:51 UTC] nielsene at mit dot edu

Sorry, I guess that was less clear than I thought it was.

It appears that if a user has their browser set to Prompt (for cookie acceptance).  PHP will attempt to set the cookie every time session_start is called, causing the browser to pop up the query dialog box (accept/reject cookie?) on every page.  It appears to me this is broken, session_start should be able to tell that a session exists, via existence of a PHPSESSID variable in the GET variables and not try to start a new cookie based session.

Ie once a user has rejected a cookie, that session should stay cookieless, PHP should not try to browbeat the user into accepting the cookie.

[2002-03-08 14:19 UTC] sniper@php.net

..and that's what happens with latest CVS. (and 4.2.0 branch). Try the snapshot.

--Jani

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 22 17:00:02 2025 UTC