php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #43439 PHP Cookie expiration (2)
Submitted: 2007-11-28 10:57 UTC Modified: 2013-04-16 19:41 UTC
From: bnies at bluewin dot ch Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.2.5 OS: Solaris 9
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bnies at bluewin dot ch
New email:
PHP Version: OS:

 

 [2007-11-28 10:57 UTC] bnies at bluewin dot ch 
Description:
------------
Concerning Bug #43226 because it was set to 'bogus' and additional comments are not allowed.

First: I did not ask for support.

The issue I submitted is concerning the HTTP headers that the PHP function session_unregister() sends to the browser.

My suggestion was to send Cookie Expires and Cookie Max-Age together when unregistering a PHP session to make sure that even with broken proxy or browser implementations the session gets terminated.

This problem came across a broken proxy implementation that only treated the Max-Age option and ignored the Expires option and then sent the session cookie with the value 'deleted' back to the PHP application which then treated it as a valid session.

See:

https://sourceforge.net/tracker/index.php?func=detail&aid=1829098&group_id=311&atid=100311

I don't mess with computer's time but some internet users might do this and change the date to use expired software licenses. I don't know if the PHP application or PHP itself sets the cookie expires date to one year in the past. Maybe setting it to 1 January 1980 00:00 GMT is the safest way.

Bye,
Bernd

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-08 21:30 UTC] jani@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2011-04-08 21:30 UTC] jani@php.net
-Package: *General Issues +Package: Session related
 [2012-03-31 03:28 UTC] yohgaki@php.net 
Sounds reasonable
 [2012-03-31 03:28 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2013-01-15 08:10 UTC] narf at bofh dot bg 
This has been fixed via the following pull request:

https://github.com/php/php-src/pull/238
 [2013-04-16 19:41 UTC] yohgaki@php.net 
setcookie() has changed
 [2013-04-16 19:41 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Apr 02 06:01:30 2025 UTC