PHP :: Bug #41885 :: The problem case by "phpsessid=deleted"

Bug #41885	The problem case by "phpsessid=deleted"
Submitted:	2007-07-03 11:34 UTC	Modified:	2007-07-03 11:41 UTC
From:	ivyrake at gmail dot com	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5.2.3	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-07-03 11:34 UTC] ivyrake at gmail dot com

Description:
------------
Perhaps it was my fault(i use the code:setcookie("PHPSESSID", "", time() - 3600);),but it make me very trouble.
Now and then my website user could access other's accounts by HIMSELF  ID/Password!
This remained until I found some user's cookie['phpsessid']="deleted".
So I wrote some code in my login.php:
if ("deleted" == session_id())
{
    exit();
}
.

later I traced the file head.c,I find that if setcookie("PHPSESSID", "") 
"PHPSESSID=deleted;expires=xxxxxxxx" will appear in HTTP head(for ie).It really an accurate method? 

At the same time  I find that Cookie sent by user's browser has no ";expires=xxxx",only has "PHPSESSID=deleted", What can cause this appear? 

Sorry for my poor english:(

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-07-03 11:41 UTC] tony2001@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Apr 18 23:01:25 2025 UTC