|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32944 Disabling session.use_cookies doesn't prevent reading session cookies
Submitted: 2005-05-04 17:04 UTC Modified: 2005-05-20 12:28 UTC
Avg. Score:5.0 ± 0.0
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:2 (40.0%)
From: dziugas at gmail dot com Assigned:
Status: Closed Package: Session related
PHP Version: 5.*, 4.* (2005-05-06) OS: *
Private report: No CVE-ID:
 [2005-05-04 17:04 UTC] dziugas at gmail dot com
If configuration directive session.use_cookies is set to 0 (or Off), cookies aren't sent to the browser anymore, but however if browser sends a previously received cookie within a request, PHP tries to use it for session id.

This is the problem in WAP deployments where number of mobile phone browsers sends a Cookie in the form of:

Cookie: PHPSESSID="xxx, PHPSESSID=xxx" (as denoted in

This makes PHP to produce a warning:

PHP Warning:  Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0

Reproduce code:


ini_set('session.use_cookies', true);

in the first request and 

ini_set('session.use_cookies', false);

in the secodn.

Expected result:
After the second request, session ID (as returned by session_id()) should not be same as after the first request.

Actual result:
The value returned by session_id() is the same within the first and second requests.

I think that session.use_cookies is disabled, there should be no checking if the browser sends the cookie having the same name as session_name().


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-20 12:28 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Fri Nov 27 02:01:29 2015 UTC