php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #35233 session_name gives bad result with session.auto_start=true
Submitted: 2005-11-16 04:50 UTC Modified: 2005-11-16 15:49 UTC
From: gandalf at flock dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.0.5 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: gandalf at flock dot com
New email:
PHP Version: OS:

 

 [2005-11-16 04:50 UTC] gandalf at flock dot com 
Description:
------------
As mentioned in bugs 1988 and 16389 when you set up session.auto_start=true, then you can't play with session_name.
It's ok.

But if so, then session_name() should return the REAL name, not the false one.

It's totally misleading to accept session name change (without an Exception).

Reproduce code:
---------------
1) Set session.auto_start=true in php.ini
2) 
<?php

session_name('foo');
session_start();

print('Session name: '.session_name());
?>

Expected result:
----------------
Session name: PHPSESSID

Actual result:
--------------
Session name: foo


'session_name()' should give the real session cookie name.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-16 10:24 UTC] tony2001@php.net 
Why is that a bug?
session_name() *does* change the session name, but it's too late, because session has already been started.
So the session_name() behaviour is correct.
 [2005-11-16 15:49 UTC] gandalf at flock dot com 
> So the session_name() behaviour is correct.

I understand your point of view, but try to understand mine. When a coder works on the session stuff, he can't know about all possible envoirnments where the code will be launched. When he finds session_name function and it's description, he simply uses it to (usually) check if session cookie exists.

So it usually will looks like it was in MediaWiki (http://bugzilla.wikimedia.org/show_bug.cgi?id=3990) - in some place they choose session name, and later they simply check if session cookie exists (isset($_COOKIE[session_name()])) - this will work bad if session.auto_start is on.

Even more. I have no chance to get the real name.

So I'd propose either to document this in session_name docs, and add ability to check the REAL name (for example by providing get_session_name(true) to get the real one)?
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 00:01:35 2025 UTC