|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-09-21 23:02 UTC] evgeny dot budakov+phpnet at gmail dot com
Description:
------------
session_regenerate_id overrides setcookie if names match but domains may differ. In my case domain names were ('domain.com' vs '.domain.com').
The issue arises when I try to delete cookie via setcookie function (on domain 'domain.com') and immediately after I have a call to session_regenerate_id (on domain '.domain.com')
Test script:
---------------
session_name('test');
session_start();
// PHP 5
setcookie('test', '', time()-10000000, '/', 'thrivemarket.com'); // outputs Set-cookie test = deleted header(thrivemarket.com)
session_regenerate_id(true); // Outputs Set-cookie test = (session id) header (.thrivemarket.com)
// PHP 7
setcookie('test', '', time()-10000000, '/', 'thrivemarket.com'); // <--- THIS IS THE BUG, unlike in PHP 5 this call is ignored in PHP 7
session_regenerate_id(true); // Outputs Set-cookie test = (session id) header (.thrivemarket.com)
Expected result:
----------------
In PHP 7 I expect the "Set-cookie test = deleted" header to be output just as it does in PHP 5
Actual result:
--------------
"Set-cookie test = deleted" is not output
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 12:00:01 2025 UTC |
I'm not sure what problem you have. However, how to treat malformed domain in Set-Cookie header is up to browser. i.e. When you send cookies from different scripts, this could happen. Session module removes old cookies to avoid sending multiple session ID cookies. PHP does not use cookie attribute to distinguish cookies. Correct(Logical) behavior is to override any cookie previously defined. It does as it supposed for both PHP 5.x and 7.x. If you still think there is a bug, please provide complete script and describe issue in detail, reproducing procedure especially. ------------------------------------------ [yohgaki@dev php.net]$ cat t.php <?php session_name('test'); session_set_cookie_params(0, '/', '.domain.com'); session_start(); setcookie('test', '', time()-10000000, '/', 'domain.com'); session_regenerate_id(true); ------------------------------------------ GET /t.php HTTP/1.1 Host: domain.com:8888 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: ja,en-US;q=0.8,en;q=0.6 Cookie: test=4f94c1fbe752009ee1ee76a53e52c8c5 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection: close Content-type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Host: domain.com:8888 Pragma: no-cache Set-Cookie: test=dbb8600a89d76e3a901dea50015d179c; path=/; domain=.domain.com X-Powered-By: PHP/5.6.27-dev ------------------------------------------ GET /t.php HTTP/1.1 Host: domain.com:8888 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: ja,en-US;q=0.8,en;q=0.6 Cookie: test=4f94c1fbe752009ee1ee76a53e52c8c5 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Connection: close Content-type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Host: domain.com:8888 Pragma: no-cache Set-Cookie: test=de7b1b94f21ab18ebb40e738532b63b2; path=/; domain=.domain.com X-Powered-By: PHP/7.0.12-dev ------------------------------------------