php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #49725 session: Cache-Control header should not have post-check, pre-check
Submitted: 2009-09-30 18:29 UTC Modified: 2010-11-24 10:55 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: sec dot wb at heysoft dot de Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.11 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sec dot wb at heysoft dot de
New email:
PHP Version: OS:

 

 [2009-09-30 18:29 UTC] sec dot wb at heysoft dot de 
Description:
------------
function session_start causes php to send the following line:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

This is quite stupid because no browser does care about "post-check=0, pre-check=0". IE will ignore it, as you can read here:
http://blogs.msdn.com/ieinternals/archive/2009/07/20/Using-post_2D00_check-and-pre_2D00_check-cache-directives.aspx
It says: "http://blogs.msdn.com/ieinternals/archive/2009/07/20/Using-post_2D00_check-and-pre_2D00_check-cache-directives.aspx"

And apparently there even was a beta version of IE7 which did download all objects twice when "post-check=0, pre-check=0" was specified.

So, I wonder why it is there in nearly each php page?

Reproduce code:
---------------
<?php
	// Start a session
	if(!defined('SESSION_STARTED')) {
		session_name('a_session_id');
		@session_start();
		define('SESSION_STARTED', true);
	}
?>

Expected result:
----------------
No stupid cache control output

Actual result:
--------------
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-30 18:31 UTC] sec dot wb at heysoft dot de 
In the description I copied the link twice, wanted to write:

It says: "If both post-check and pre-check are specified and set to 0, both are entirely ignored"
 [2010-11-24 10:55 UTC] jani@php.net
-Status: Open +Status: Bogus -Package: Feature/Change Request +Package: *General Issues
 [2010-11-24 10:55 UTC] jani@php.net 
You can disable it with session_cache_limiter( FALSE );
 [2010-11-24 10:55 UTC] jani@php.net
-Package: *General Issues +Package: Session related
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jul 16 20:01:32 2025 UTC