PHP :: Bug #33526 :: setting cookie value to '' results in cookie value of 'deleted'

[2005-06-30 18:26 UTC] aaron at istockphoto dot com

Description:
------------
This is related to the issue that was reported in Bug 
#25629 "session cookie being set to deleted when 
deleting a session" for version 4.3.1. I was not sure if 
I should try to re-open the old bug or submit a new one. 
My apologies.

The problem is not with the session code, but is a side 
affect of the behavior of setcookie().

Following the example provided in the manual entries for 
session_destroy() and setcookie(), the value of the 
session cookie is not set to '' (empty string) as 
expected, but is set to 'deleted' instead. This 
shouldn't be an issue, except that if the client 
computers date is incorrectly set in the distant past 
(not uncommon) then the cookie will not be removed from 
the browser and will be used passed in the next request 
as "deleted".

Within 24 hours of adding the the 
"setcookie('PHPSESSID', '', time() - 172800, '/', 
'.foo.bar')" line to our logout procedure we discovered 
that perhaps 40 visitors had shared the same session 
data. A a major security issue to be sure. We hacked our 
session handler object to not accept 'deleted' as a 
session ID.

Either PHP should be updated to set the value of the 
cookie to an empty string as the setcookie() command 
insinuates it will be, or the manual entries for 
session_destroy(), setcookie(), and 
session_set_save_handler() should be updated to explain 
the current behavior.

Thank you :)


Headers sent in request response to illustrate actual 
values of cookies:

HTTP/1.1 302 Found
Date: Thu, 30 Jun 2005 15:30:12 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_ssl/2.8.22 
OpenSSL/0.9.7d
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, 
post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=deleted; expires=Wed, 30-Jun
-04 15:30:11 GMT; path=/; domain=.foo.bar
Set-Cookie: somecookie=deleted; expires=Wed, 30-Jun
-04 15:41:00 GMT; path=/; domain=.foo.bar
location: /index.php
Transfer-Encoding: chunked
Content-Type: text/html


Reproduce code:
---------------
Source code:

session_start();

setcookie('PHPSESSID', '', time() - 172800, '/', '.foo.bar');
setcookie('somecookie', '', time() - 172800, '/', '.foo.bar');

$_SESSION = array();
session_destroy();

header('location: /index.php');


Expected result:
----------------
The value of PHPSESSID cookie (or any other cooke) would 
be set to '' (empty string)


Actual result:
--------------
The value of PHPSESSID cookie (or any other cooke) is 
set to 'deleted' resulting in many users sharing the 
same session ID.

[2005-06-30 18:30 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2005-07-08 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2008-04-22 22:49 UTC] oliver at netconcepts dot com

This is not working in PHP 5.2.5

setrawcookie("Cookiename", "");

results in:

Set-Cookie: Cookiename=deleted; expires=Mon, 23-Apr-2007 22:47:55 GMT

[2008-09-24 13:14 UTC] taras dot di at gmail dot com

I can confirm for 5.2.5

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Sun May 28 13:03:46 2023 UTC