PHP :: Bug #75554 :: session_regenerate_id() causes duplicate Set-Cookie header to be sent

Bug #75554

session_regenerate_id() causes duplicate Set-Cookie header to be sent

Submitted:

2017-11-22 12:37 UTC

Modified:

2020-03-25 15:48 UTC

Votes:	12
Avg. Score:	4.2 ± 0.9
Reproduced:	10 of 11 (90.9%)
Same Version:	1 (10.0%)
Same OS:	2 (20.0%)

From:

arve at coretrek dot no

Assigned:

Status:

Analyzed

Package:

Apache2 related

PHP Version:

7.1.11

OS:

Linux Mint 18, Ubuntu 12.04 LTS

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	arve at coretrek dot no
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-11-22 12:37 UTC] arve at coretrek dot no

Description:
------------
When calling session_start() and then session_regenerate_id(), PHP will send two Set-Cookie headers, one containing the old session id and the other containing the new session id. 

Testet on: 
* PHP 7.1.11 on Ubuntu 12.04 (installed via phpbrew) 
* PHP 7.0.22-0ubuntu0.16.04.1 on Linux Mint 18

Test script:
---------------
First, create sessiontest.php: 
<?php
session_start();
if (!isset($_SESSION['SessionInitiated'])) {
    session_regenerate_id();
    $_SESSION['SessionInitiated'] = true;
}
?>

Then, access sessiontest.php through Apache and inspect response headers, e.g. by using curl: 
curl -sv http://localhost/sessiontest.php  > /dev/null
*   Trying 127.0.1.1...
* Connected to localhost (127.0.1.1) port 80 (#0)
> GET /sessiontest.php HTTP/1.1
> Host: localhost
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 22 Nov 2017 12:07:52 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=8676mem4p76uka76ta2qq072q1; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: PHPSESSID=rvud0d79be3oa77rnbag0lmgc2; path=/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8



Expected result:
----------------
Only send one Set-Cookie header (containing the new session id). 

Actual result:
--------------
Two Set-Cookie headers are sent, one containing the old session id and the other containing the new session id. This confuses browsers and cause some browsers to continue using the old session cookie. 

In addition, if you call  var_dump(headers_list()) at the end of the script, only ONE Set-Cookie header will be listed here, even though two headers are sent.

Patches

Pull Requests

Pull requests:

Fix #75554 - Recreate all Set-Cookie headers from current sapi_headers (php-src/3231)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-04-10 17:14 UTC] tilmann dot bach at telekom dot de

I can confirm this BUG. This behavior is in contrast to the RFC: https://tools.ietf.org/html/rfc6265#section-4.1.1

"Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name.  (See Section 5.2 for how user agents handle this case.)"

[2018-05-01 20:02 UTC] pmmaga@php.net

-Status: Open +Status: Analyzed -Package: Session related +Package: Apache2 related -Assigned To: +Assigned To: pmmaga

[2018-05-01 20:02 UTC] pmmaga@php.net

This bug is specific to apache2. I have looked into it and have created a PR with a potential fix. You can find more details on the PR itself.

[2018-05-01 20:12 UTC] pmmaga@php.net

Not able to link the PR at the moment. Here's the link: https://github.com/php/php-src/pull/3231

[2019-03-19 14:14 UTC] marthasimons8888 at gmail dot com

Then, access sessiontest.php through Apache and inspect response headers, e.g. by using curl: 
curl -sv http://localhost/sessiontest.php  > /dev/null
*   Trying 127.0.1.1...
* Connected to localhost (127.0.1.1) port 80 (#0)
> GET /sessiontest.php HTTP/1.1
> Host: localhost
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 22 Nov 2017 12:07:52 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=8676mem4p76uka76ta2qq072q1; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: PHPSESSID=rvud0d79be3oa77rnbag0lmgc2; path=/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
I try https://goo.gl/LhppLn its work ok

[2020-03-25 15:48 UTC] pmmaga@php.net

-Assigned To: pmmaga +Assigned To:

[2021-04-22 16:46 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #75554 - Recreate all Set-Cookie headers from current sapi_headers
On GitHub:  https://github.com/php/php-src/pull/3231
Patch:      https://github.com/php/php-src/pull/3231.patch

[2024-05-17 14:29 UTC] marthasimons8888 at gmail dot com

< Pragma: no-cache
< Set-Cookie: PHPSESSID=rvud0d79be3oa77rnbag0lmgc2; path=/ 
< Content-Length: 0

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 24 17:00:01 2025 UTC