This needs to be told in the manual. Even as $_SESSION and $HTTP_SESSION_VARS look different they're essentially same thing. (dunno how to say this better..just don't do it! :)

My apologize for that I am changing the category but there is still a bit of a problem with session store if one actually tries to put invalid stuff to $_SESSION, as I described.
Also, is it possible to emerge a warning at some stage if an invalid key is put to $_SESSION - guess it is something worth to be done along with the notes in docs.

I can't reproduce this. Is the behavior same in PHP 5.2.6? Isn't it affected by register_globals?

Yeah, I can definitely reproduce it under PHP 5.2.6 with `files` and `mecached` session handlers. It is not affected by register_global (I always keep it and similar deprecated stuff to off but switching it on changes nothing).

Well, what else to add...

PHP Version 5.2.6 on Linux 2.6.18

'./configure'  '--prefix=/opt/php5' '--with-apxs=/opt/apache/bin/apxs' '--with-openssl' '--with-zlib' '--enable-sockets' '--with-mysql=shared,/opt/mysql-4.1.21l' '--with-iconv' '--with-gd' '--enable-bcmath' '--with-curl' '--with-mcrypt' '--with-pgsql=shared,/opt/pgsql-8.1.4' '--with-oci8=/opt/OraHome' '--enable-exif' '--with-jpeg-dir=/usr/lib' '--enable-wddx' '--enable-pcntl' '--enable-mbstring' '--with-gmp' '--with-freetype-dir=/usr/lib' '--with-xsl' '--with-xmlrpc' 

Used with Apache 1.3.37 (mod_php5)

Session Support 	enabled
Registered save handlers 	files user sqlite memcache
Registered serializer handlers 	php php_binary wddx


Directive	Local Value	Master Value
session.auto_start	Off	Off
session.bug_compat_42	On	On
session.bug_compat_warn	On	On
session.cache_expire	720	720
session.cache_limiter	nocache	nocache
session.cookie_domain	no value	no value
session.cookie_httponly	Off	Off
session.cookie_lifetime	0	0
session.cookie_path	/	/
session.cookie_secure	Off	Off
session.entropy_file	no value	no value
session.entropy_length	0	0
session.gc_divisor	100	100
session.gc_maxlifetime	7200	7200
session.gc_probability	10	10
session.hash_bits_per_character	4	4
session.hash_function	0	0
session.name	PHPSESSID	PHPSESSID
session.referer_check	no value	no value
session.save_handler	files	files
session.save_path	/tmp	/tmp
session.serialize_handler	php	php
session.use_cookies	On	On
session.use_only_cookies	Off	Off
session.use_trans_sid	0	0

Currently, the documentation says that $HTTP_SESSION_VARS is 
deprecated.  and in V5.3.0 betas, there is no $HTTP_SESSION_VARS

So, is this still an ongoing problem?

<?php var_dump($HTTP_SESSION_VARS); ?>

Notice: Undefined variable: HTTP_SESSION_VARS

That's only because register_long_arrays is off.

This directive became available in PHP 5.0.0 and was dropped in PHP 
6.0.0.

Turning them on seems to work as expected. No corruption on 5.3.0beta2-dev (Build Date Feb 10 2009 12:47:18)



What type of session.serialize_handler are you using? I get the error 
in the beta with php, but not with wddx.

With php_binary I get a load of warnings.


Warning: session_start() [function.session-start.html]: Trying to 
destroy uninitialized session in D:\Data\Web Sites\Development\Web 
Reports\public_html\sess.php on line 2

Warning: session_start() [function.session-start.html]: Failed to 
decode session object. Session has been destroyed in D:\Data\Web 
Sites\Development\Web Reports\public_html\sess.php on line 2

Warning: session_start() [function.session-start.html]: Cannot send 
session cache limiter - headers already sent (output started at 
D:\Data\Web Sites\Development\Web Reports\public_html\sess.php:2) in 
D:\Data\Web Sites\Development\Web Reports\public_html\sess.php on 
line 2

Array
(
    [qwerty] => 1
)
Array
(
    [qwerty] => 1
)

Yeah, php handler gives bug, php_binary - warnings, wddx gives this:
 Array
 (
     [qwerty] => 1
     [HTTP_SESSION_VARS] => 2
     [ABC] => qqq
 )


PHP 5.2.9

5.2.9-2 Windows NT DYPA 5.1 build 2600 

1st:
Array
(
)
2nd:
Array
(
    [qwerty] => 1
    [i:2;ABC] => qqq
)

I don't really think we should document such behaviour, its not very likely that the user will try to play with superglobals like that and if they should they should be prepared for such issues.