php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #33868 Session cookies are set only once
Submitted: 2005-07-26 17:28 UTC Modified: 2005-07-26 20:53 UTC
From: wglynn at freedomhealthcare dot org Assigned: sas (profile)
Status: Not a bug Package: Session related
PHP Version: 4.3.11 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: wglynn at freedomhealthcare dot org
New email:
PHP Version: OS:

 

 [2005-07-26 17:28 UTC] wglynn at freedomhealthcare dot org 
Description:
------------
After switching webservers (and upgrading PHP) over the weekend for an internal application, our users began reporting that they were getting logged out randomly. After triple-checking our code and web server setup, we started digging through the PHP source, and eventually discovered the issue.

In PHP 4.3.4 (and versions before and after 4.3.4), setting a nonzero value of session.cookie_lifetime either via php.ini or session_set_cookie_params() resulted in a cookie that expires a certain number of seconds after the current page load. This has the net effect of session.cookie_lifetime setting an inactivity timeout.

In PHP 4.3.11, session_start() sends Set-Cookie: once, with an expiration time governed by session.cookie_lifetime. (I believe this behavior changed for PHP 4.3.9.) So, if session.cookie_lifetime is 20 minutes, the cookie will expire and destroy the session 20 minutes after login, regardless of any activity.

Bug #30232 attempted to change this behavior and got a patch committed, but it was ripped out, saying that the behavior of setting the cookie once is intentional and correct. I feel that this behavior is completely wrong for cases where session.cookie_lifetime is nonzero; there is no situation where sessions should expire a fixed time after setting them, but many situations where sessions should expire a fixed time after a call to session_start().

My proposed fix is to always send cookies if session.cookie_lifetime is nonzero.

Reproduce code:
---------------
<?php

header('Refresh: 10');
session_set_cookie_params(15);
session_start();

if (!isset($_SESSION['i'])) {
  $_SESSION['i'] = 1;
  echo 'Started session.';

} else {
  $_SESSION['i']++;
  echo "Page load number {$_SESSION['i']}.";
}


Expected result:
----------------
"Page load number" should keep incrementing for as long as the browser keeps refreshing the page within the cookie lifetime.

Actual result:
--------------
The cookie expires 15 seconds after the first page load, destroying the session.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-26 20:37 UTC] sniper@php.net 
You've got confused with session maxlife and cookie max life.
There's no bug here.
 [2005-07-26 20:53 UTC] wglynn at freedomhealthcare dot org 
I am aware that session.gc_maxlifetime can have a similar effect, however:

1. session.cookie_lifetime gives a much finer degree of control over the duration of the session, as different lifetimes can be assigned based on user-specified criteria (i.e. inside hosts get one timeout, outside hosts get another)
2. This is a deviation from earlier behavior that was not documented in the master ChangeLog
3. This change of behavior provides no benefit for non-zero values of session.cookie_lifetime and breaks existing software that expects session_start() to reset the cookie expiration
4. If the new behavior is desired (for whatever reason), it can be synthesized under the old behavior. The opposite is not true.

As I see it, the bottom line is that having session_start() send a cookie only when the browser did not supply one reduces functionality, breaks some existing software, and helps nothing when cookie_lifetime is nonzero. Changing this behavior back would be trivial, and would give a tangible benefit.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Jul 12 10:01:33 2025 UTC