php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73245 session_start() doesn't start the session if headers have been sent
Submitted: 2016-10-04 17:40 UTC Modified: 2016-10-13 22:56 UTC
Votes:4
Avg. Score:4.0 ± 1.0
Reproduced:2 of 4 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: php at duncanc dot co dot uk Assigned: yohgaki (profile)
Status: Wont fix Package: Session related
PHP Version: 7.1.0RC3 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at duncanc dot co dot uk
New email:
PHP Version: OS:

 

 [2016-10-04 17:40 UTC] php at duncanc dot co dot uk 
Description:
------------
In `7.0` and `5.6` calling `session_start()` even if headers have been sent still made `$_SESSION` usable, but `7.1` changes this behaviour.

Test script:
---------------
session_start();
$_SESSION['blah'] = 'foo';
var_dump($_SESSION);
session_write_close();

session_start();
var_dump($_SESSION);

Expected result:
----------------
The dumped array should be the same both times:
array(1) {
  ["blah"]=>
  string(3) "foo"
}

Actual result:
--------------
The second array dump is empty

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-05 10:51 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: yohgaki
 [2016-10-05 10:51 UTC] cmb@php.net 
According to `git bisect` the offending commit is
<https://github.com/php/php-src/commit/c200e8e1>.

Yasuo, can you please have a look at this issue.
 [2016-10-05 12:17 UTC] yohgaki@php.net
-Status: Verified +Status: Assigned
 [2016-10-05 12:17 UTC] yohgaki@php.net 
@cmd Thank you for investigation.
I'll look into this, but it seems I need more info. It works for me... 
Perhaps, SAPI involved? 

[yohgaki@dev PHP-7.1]$ ./php-bin 
<?php
session_start();
$_SESSION['blah'] = 'foo';
var_dump($_SESSION);
session_write_close();

session_start();
var_dump($_SESSION);
?>


array(1) {
  ["blah"]=>
  string(3) "foo"
}

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at -:4) in - on line 7

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at -:4) in - on line 7
array(1) {
  ["blah"]=>
  string(3) "foo"
}
 [2016-10-05 15:02 UTC] cmb@php.net 
Indeed, it appears to break only if there is already some output
before the first session_start(). Try:

    <?php
    echo "start\n";
    session_start();
    $_SESSION['blah'] = 'foo';
    var_dump($_SESSION);
    session_write_close();
    
    session_start();
    var_dump($_SESSION);
 [2016-10-06 08:05 UTC] yohgaki@php.net 
Related To: Bug #71038
 [2016-10-06 08:07 UTC] yohgaki@php.net 
Not initializing $_SESSION by 2nd session_start() is not a bug actually, but it should fail to initialize $_SESSION always when session_start() cannot be started. This is the objective for the bug fix commit mentioned.

So real bug here is session module initializes $_SESSION even if it failed to start when there is no output before 1st session_start().

This report's bug won't be fixed. I re-opened bug #71038.
 [2016-10-06 08:07 UTC] yohgaki@php.net
-Status: Assigned +Status: Wont fix
 [2016-10-11 16:26 UTC] nikic@php.net 
@yasuo: As noted on the linked PR, it would be good to add an UPGRADING note about this.
 [2016-10-13 22:56 UTC] yohgaki@php.net 
@nikic 
Done. Thanks.
 [2017-04-01 16:22 UTC] daarthv at yahoo dot com 
In my case session_set_cookie_params() causes problem, if i set domain, secure or httponly session is not set and cookie not sent, but if i leave only lifetime and path works ok. Any ideas how to fix it?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC