PHP :: Bug #77238 :: session_set_cookie_params behavior change in PHP 7.2

Bug #77238	session_set_cookie_params behavior change in PHP 7.2
Submitted:	2018-12-04 18:58 UTC	Modified:	2018-12-08 06:26 UTC
From:	john at zerocrates dot org	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	7.2.12	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	john at zerocrates dot org
New email:
PHP Version:		OS:

New Comment:

[2018-12-04 18:58 UTC] john at zerocrates dot org

Description:
------------
Under PHP 7.1, calling session_set_cookie_params with an active session will successfully change the cookie sent to the client, IF session_regenerate_id is called afterward.

In PHP 7.2, calling session_set_cookie_params with an active session emits a warning:

Warning:  session_set_cookie_params(): Cannot change session cookie parameters when session is active

Additionally, the cookie is _not_ changed.

I've seen this described as a change which merely emits warnings informing developers of patterns that never worked in the first place and just failed silently (for example, the comments on #75650), but in this case presumably the function is bailing out after printing the warning, and the actual behavior is changed.

I was unable to find any discussion of this change in the migration documentation for PHP 7.2.

Test script:
---------------
session_start();
$params = session_get_cookie_params();
session_set_cookie_params(100, $params['path'], $params['domain'], $params['secure']);
session_regenerate_id();

// Under 7.1 this emits a Set-Cookie with the 100-second lifetime respected

// Under 7.2, it produces a warning and the Set-Cookie does not respect the new lifetime

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-12-04 19:12 UTC] john at zerocrates dot org

Bug #76358 seems to be a different facet of the same basic problem or change.

[2018-12-08 06:21 UTC] yohgaki@php.net

-Status: Open +Status: Not a bug

[2018-12-08 06:21 UTC] yohgaki@php.net

Program must set all parameters for session before activating session from PHP 7.2.

[2018-12-08 06:26 UTC] yohgaki@php.net

Please refer to PHP 7.2's UPGRADING in the source.

Changning session parameter for active session was the main cause of the session related bugs.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 18:01:29 2024 UTC