php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #25894 session_start() sending a cookie every time
Submitted: 2003-10-17 05:32 UTC Modified: 2003-10-17 09:35 UTC
From: tom at scl dot co dot uk Assigned:
Status: Not a bug Package: Session related
PHP Version: 4.3.3 OS: Linux 2.4.18
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tom at scl dot co dot uk
New email:
PHP Version: OS:

 

 [2003-10-17 05:32 UTC] tom at scl dot co dot uk 
Description:
------------
The session_start() function seems to be sending the session cookie to the browser every time, even if the browser has already got a cookie and has submitted it to the script.

This, along with being a pretty pointless thing to do, also makes it imposible to delete a session cookie after the session_start() has been called as all the browsers I have tried this with seem to ignore a request to delete a cookie if the same cookie has been set before hand in the same request.

Reproduce code:
---------------
<?php
session_start();
?>

Expected result:
----------------
The cookie would be sent to the browser the first time you run the script but all following requests should not send a cookie to the browser because it has already got it.

Actual result:
--------------
A cookie is sent to the browser one every request for the page.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-10-17 08:33 UTC] sniper@php.net 
This is by design. Cookie lifetime would not work very well otherwise.
 [2003-10-17 08:55 UTC] tom at scl dot co dot uk 
Since when? This never used to be the case in previous versions of PHP, at least not with session cookies which have a lifetime of 0 anyway so why would it matter, I have never used pesistent cookies with php native sessions so I don't know how they behave but maybe I should have pointed out originally that I am using session cookies.

This also makes it impossible to delete the cookie!

And for people with browsers set to warn before recieving a cookie it is a major irritation having to go through the warning dialog on every page hit.

This change has cause quite a substantial amount of my code to break and I'm sure I can be the only person experiencing problems with these changes.
 [2003-10-17 08:57 UTC] sniper@php.net 
Bullshit, I just wrote a logout function in which I delete the cookie and it works just fine.
 [2003-10-17 09:35 UTC] tom at scl dot co dot uk 
I appologise, deleting the cookie is possible but it is still both pointless pointless & annoying to be sending a cookie every time with "session" cookies.
 [2004-02-20 18:08 UTC] pweis at pweis dot com 
I just stumbled over the same problem. PHP sends a Set-Cookie header every time a page is requested. This might make some sense for lifetime > 0, but definitely not for lifetime == 0. This is especially annoying for users that don't accept cookies automatically. Right now, they have to accept a new cookie for every page.
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Mon Mar 16 13:00:01 2026 UTC