PHP :: Bug #8556 :: start_session modify the HTTP header

Bug #8556	start_session modify the HTTP header
Submitted:	2001-01-04 16:11 UTC	Modified:	2001-02-20 15:45 UTC
From:	georges dot dagousset at oxios dot fr	Assigned:
Status:	Closed	Package:	Session related
PHP Version:	4.0.4	OS:	all
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	georges dot dagousset at oxios dot fr
New email:
PHP Version:		OS:

New Comment:

[2001-01-04 16:11 UTC] georges dot dagousset at oxios dot fr

This related to bug #8073

You are right when you said it is necessary to send a header with no-cache when php send a cookie.
But I think it is not normal to change the header when php sends no cookie.

So I changed the code:
before
...
 if (send_cookie)
  php_session_send_cookie(PSLS_C);
 
 if (define_sid) {
  char *buf;

  buf = emalloc(strlen(PS(session_name)) + strlen(PS(id)) + 5);
  sprintf(buf, "%s=%s", PS(session_name), PS(id));
  REGISTER_STRING_CONSTANT("SID", buf, 0);
 } else
  REGISTER_STRING_CONSTANT("SID", empty_string, 0);
 PS(define_sid) = define_sid;

 PS(nr_open_sessions)++;

 php_session_cache_limiter(PSLS_C);
 php_session_initialize(PSLS_C);
...

after the change
...
 if (send_cookie) {
  php_session_send_cookie(PSLS_C);
  php_session_cache_limiter(PSLS_C);
 }
 
 if (define_sid) {
  char *buf;

  buf = emalloc(strlen(PS(session_name)) + strlen(PS(id)) + 5);
  sprintf(buf, "%s=%s", PS(session_name), PS(id));
  REGISTER_STRING_CONSTANT("SID", buf, 0);
 } else
  REGISTER_STRING_CONSTANT("SID", empty_string, 0);
 PS(define_sid) = define_sid;

 PS(nr_open_sessions)++;

 php_session_initialize(PSLS_C);
...

With this modification the no-cache header is send only once. Maybe the modification is made a wrong way!?

Georges Dagousset
France
:-)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-02-20 15:45 UTC] sas@php.net

Regardless of whether the session id is transmitted by a cookie or the URL, the output of the PHP script is by default supposed to be non-cachable. 

If you think a client can cache the content of the page, change the session.cache_limiter configuration variable appropiately.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat May 10 23:01:29 2025 UTC