php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #52109 session_start / session_write_close memory leak
Submitted: 2010-06-17 15:49 UTC Modified: 2010-07-03 12:59 UTC
From: smacky86 at gmail dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.3.2 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: smacky86 at gmail dot com
New email:
PHP Version: OS:

 

 [2010-06-17 15:49 UTC] smacky86 at gmail dot com 
Description:
------------
session_start() and session_write_close() don't free unused memory. When they are called multiple times, the memory usage reported by memory_get_usage() constantly grows.

The session data is stored in files, ini settings are default.

# php -v
PHP 5.2.9 (cli) (built: Sep  1 2009 11:43:38)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
    with Suhosin v0.9.31, Copyright (c) 2007-2010, by SektionEins GmbH


Test script:
---------------
session_start();
$_SESSION["foo"] = str_repeat("bar", 5000);
session_write_close();

$memory_before = round(memory_get_usage() / 1024, 2) . "KB";
for ($i=0; $i<1000; $i++)
{
  session_start();
  session_write_close();
}
$memory_after = round(memory_get_usage() / 1024, 2) . "KB";
echo "Before: " . $memory_before . "\n";
echo "After: " . $memory_after;

Expected result:
----------------
Before: 88.34KB
After: 88.34KB

(or something small amount)

Actual result:
--------------
Before: 88.34KB
After: 19906.61K

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-21 07:07 UTC] kalle@php.net 
We don't support PHP patched with 3rd party patches like Suhosin, what is the results without, and what does valgrind give you? Should show if there is a real leak
 [2010-06-21 07:19 UTC] kalle@php.net
-Status: Open +Status: Feedback
 [2010-06-21 07:19 UTC] kalle@php.net 
I forgot to include, did you try to disable the Zend allocator (USE_ZEND_ALLOC)?
 [2010-07-03 04:06 UTC] smacky86 at gmail dot com
-Status: Feedback +Status: Open
 [2010-07-03 04:06 UTC] smacky86 at gmail dot com 
Now I was able to test this case with a fresh new setup, now really v5.3.2 (the previous was 5.2.9, but I opend the ticket as 5.3.2).

The problem without Suhosin or any other extension doesn't appear, so the first question is solved.
But I observed something: the header of the HTTP response contains a lot of Set-Cookie line, one for each session_start() call.
I don't think it's the right way it should work.
 [2010-07-03 11:52 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2010-07-03 11:52 UTC] johannes@php.net 
That is expected. You might have sessions with different session names and keeping a list of them is a source of more trouble than simply sending them out in the correct order and letting the browser decide which to keep. Especially as usually no application doe multiple session_start) calls.
 [2010-07-03 12:59 UTC] smacky86 at gmail dot com 
In my case I start a database synchronization from a website, send the job to the background, and show the actual result to the user.
e.g.:

if (isset($_POST["user_clicked_on_the_synch_button"]))
{
  header("Location: ?result_page");
  header("Content-length: 0");
  header("Connection: close");
  session_write_close();
  usleep(100);

  // at this point the browser goes to the result page, and we can start the synchronization process in the background

  synch();

  // this event handler is called after every synchronized product
  function onSynchEvent()
  {
    // here i need to save the actual state of the synch process
    session_start();
    $_SESSION["blah"]++;
    session_write_close();
  }
}

On the result page I can check this session variable with periodic ajax requests. The session has to be closed due to the file lock.

This is why I have to call session start/close multiple times.
Since the browser is already detached, it throws the "cannot start session, headers already sent" errors, but even then the data is stored in session.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Jul 06 09:01:32 2025 UTC