php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #66469 PHP creates two session ids when using strict mode
Submitted: 2014-01-12 08:28 UTC Modified: 2014-01-22 05:00 UTC
From: oz at zend dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.5.8 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: oz at zend dot com
New email:
PHP Version: OS:

 

 [2014-01-12 08:28 UTC] oz at zend dot com 
Description:
------------
When you enable the strict mode and then you execute session_start() without supplying a PHPSESSID (using php-cgi, cli, or ApacheBench for example), PHP creates two session ids and returns two SetCookie headers with both session ids.

I believe the second session id can be avoided since PHP knows it just created the session id for the first time.

Test script:
---------------
<?php
ini_set("session.use_strict_mode", "1");
ini_set("session.save_handler", "files");
session_start();
?>


Expected result:
----------------
"
Set-Cookie: PHPSESSID=k6brqpp9rnh2ajo2tch4l68t84; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
"


Actual result:
--------------
"
Set-Cookie: PHPSESSID=k1hn6r22om8kiq60nq72hhsa52; path=/
Set-Cookie: PHPSESSID=k6brqpp9rnh2ajo2tch4l68t84; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-01-15 14:33 UTC] kaplan@php.net 
This commit might be relevant for this bug: http://git.php.net/?p=php-src.git;a=commitdiff;h=167eaedcbdb494c87c4f83d2897a9fdb614e7062
 [2014-01-17 03:37 UTC] yohgaki@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki
 [2014-01-17 03:37 UTC] yohgaki@php.net 
Thank you, kaplan.
The commit is the fix. I don't know why the link shows patch applicable only to 5.6 branch, though. (It's not in 5.5 branch)

Closing.
 [2014-01-17 03:40 UTC] yohgaki@php.net 
BTW, 5.6 part of diff is committed last year, not this year.
 [2014-01-21 09:18 UTC] yohgaki@php.net
-Status: Closed +Status: Re-Opened
 [2014-01-21 09:18 UTC] yohgaki@php.net 
Looks like I have to modify code so that session module calls 

 php_session_reset_id(TSRMLS_C);

only once. Reopened.
 [2014-01-22 04:50 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-01-22 04:50 UTC] yohgaki@php.net
-Status: Re-Opened +Status: Closed
 [2014-01-22 04:51 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-01-22 04:51 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-01-22 04:51 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-01-22 05:00 UTC] yohgaki@php.net 
Modified code so that it replaces old session cookie.
Users should not send session cookie by themselves anyway.
Replacement is required, since user may call session_regenerated_id().

Could you try it again?
 [2014-01-22 08:54 UTC] ab@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-01-22 10:26 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-01-22 18:04 UTC] ab@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-02-12 08:46 UTC] tyrael@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=383423a1ee356b102563100e99e147ce8da996c3
Log: Re-fixed bug #66469
 [2014-02-12 08:46 UTC] tyrael@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-10-07 23:16 UTC] stas@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 [2014-10-07 23:27 UTC] stas@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=a27e51fd4e9121f962821d0f7bd1960fce0a0fd5
Log: Re-fixed bug #66469
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 24 22:00:02 2025 UTC