PHP :: Bug #71521 :: session_start floods header with Set-Cookie when called multiple times

Bug #71521	session_start floods header with Set-Cookie when called multiple times
Submitted:	2016-02-04 16:07 UTC	Modified:	2016-08-29 07:19 UTC
From:	David dot Gausmann at measX dot com	Assigned:	yohgaki (profile)
Status:	Closed	Package:	Session related
PHP Version:	7.0.8	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	David dot Gausmann at measX dot com
New email:
PHP Version:		OS:

New Comment:

[2016-02-04 16:07 UTC] David dot Gausmann at measX dot com

Description:
------------
In a productive website of a customer I need to start/stop the session multiple times during the execution of a single PHP script.
In some cases the proxy server had thrown HTTP error 502 that the header is too long.

I've found out, that session_start always adds a Set-Cookie header, regardless of the fact that there is already exactly the same header line.

This bug has already been reported here, but is still unfixed, so I create a new bug report:
https://bugs.php.net/bug.php?id=38104
https://bugs.php.net/bug.php?id=31455

Test script:
---------------
<?php

session_name('Test');
session_cache_expire(180);
session_set_cookie_params(0, '/', '', false, true);

for($i = 0; $i < 10000; ++$i)
{
	session_start();
	session_write_close();
}

?>

Expected result:
----------------
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly

(exactly one time)

Actual result:
--------------
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
...

(10000 times)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-02-09 13:40 UTC] laruence@php.net

I can not reproduce this... only one cookie header is sent in my box. (php-cgi)

[2016-02-09 22:53 UTC] yohgaki@php.net

-Status: Open +Status: Feedback

[2016-02-09 22:53 UTC] yohgaki@php.net

I've fixed that session module sending multiple set cookie headers, a year ago or so. IIRC. OS/SAPI shouldn't matter. Are you sure you're using PHP7?

[yohgaki@dev PHP-7.0]$ ./sapi/cgi/php-cgi 
<?php

session_name('Test');
session_cache_expire(180);
session_set_cookie_params(0, '/', '', false, true);

for($i = 0; $i < 10000; ++$i)
{
	session_start();
	session_write_close();
}

?>
X-Powered-By: PHP/7.0.4-dev
Set-Cookie: Test=64082c017c50d407647dd29ecb0874e4; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8

[2016-02-10 08:32 UTC] David dot Gausmann at measX dot com

-Status: Feedback +Status: Open

[2016-02-10 08:32 UTC] David dot Gausmann at measX dot com

This is strange:
I am using the current version of XAMPP for testing (includes PHP 7.0.2).
With the script I get this output in the browser (I see that with Firebug):
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
[...]
X-Powered-By: PHP/7.0.2

But when I use the php.exe (of the XAMPP directory) in server mode (C:\xampp\php\php.exe -S 127.0.0.1:80), I get the correct output in the browser.
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
X-Powered-By: PHP/7.0.2

So the problem must be somewhere in the communication between PHP and Apache...?

Kind Regards
David Gausmann

[2016-08-27 07:04 UTC] yohgaki@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki

[2016-08-27 07:04 UTC] yohgaki@php.net

I think this bug is fixed already.

[2016-08-29 07:19 UTC] David dot Gausmann at measX dot com

-PHP Version: 7.0.3 +PHP Version: 7.0.8

[2016-08-29 07:19 UTC] David dot Gausmann at measX dot com

Hello yohgaki,

I've tested this with the current XAMPP (Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/7.0.8) and the bug still occurs.
Have you really fixed something here?


Kind Regards
David Gausmann

[2019-09-17 13:51 UTC] simon dot seyock at benndorf dot de

I can reproduce this error in the php:7.2-apache docker container.

just create a directory put the test script in there (maybe reduce it to 100) and run the docker container with `docker run -d -p 9999:80 --name cookie_error -v "$PWD":/var/www/html php:7.2-apache`

then you can open the script at port 9999 and observe the multiple set headers.

[2019-09-17 13:59 UTC] simon dot seyock at benndorf dot de

It also happens with the php:7.3-apache container.

[2020-06-30 13:44 UTC] nanne at huiges dot nl

This bug is set as closed because yohgaki remarked it was fixed. The example by simon clearly shows that years later it still occurs, so I suppose this should be opened, as well as the other bugs referenced.

I can _not_ reproduce this with an nginx/fpm combination but the docker example mentioned above clearly shows the issue for 7.2 and testing it with the same command but the image php:7.4-apache also gives the error.

It could be a fpm vs mod-php issue?

example with the provided test script (but with less iterations)

----------------
$ docker run -d -p 9999:80 --name cookie_error -v "$PWD":/var/www/html php:7.4-apache

$ curl http://127.0.0.1:9999/test_script.php -v*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 9999 (#0)
> GET /test_script.php HTTP/1.1
> Host: 127.0.0.1:9999
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 30 Jun 2020 13:39:49 GMT
< Server: Apache/2.4.38 (Debian)
< X-Powered-By: PHP/7.4.7
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host 127.0.0.1 left intact

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 21:01:35 2025 UTC