php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33526 setting cookie value to '' results in cookie value of 'deleted'
Submitted: 2005-06-30 18:26 UTC Modified: 2005-07-08 01:00 UTC
Votes:4
Avg. Score:4.5 ± 0.5
Reproduced:4 of 4 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (50.0%)
From: aaron at istockphoto dot com Assigned:
Status: No Feedback Package: Session related
PHP Version: 4.3.10 OS: Slackware 9.1.0
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: aaron at istockphoto dot com
New email:
PHP Version: OS:

 

 [2005-06-30 18:26 UTC] aaron at istockphoto dot com
Description:
------------
This is related to the issue that was reported in Bug 
#25629 "session cookie being set to deleted when 
deleting a session" for version 4.3.1. I was not sure if 
I should try to re-open the old bug or submit a new one. 
My apologies.

The problem is not with the session code, but is a side 
affect of the behavior of setcookie().

Following the example provided in the manual entries for 
session_destroy() and setcookie(), the value of the 
session cookie is not set to '' (empty string) as 
expected, but is set to 'deleted' instead. This 
shouldn't be an issue, except that if the client 
computers date is incorrectly set in the distant past 
(not uncommon) then the cookie will not be removed from 
the browser and will be used passed in the next request 
as "deleted".

Within 24 hours of adding the the 
"setcookie('PHPSESSID', '', time() - 172800, '/', 
'.foo.bar')" line to our logout procedure we discovered 
that perhaps 40 visitors had shared the same session 
data. A a major security issue to be sure. We hacked our 
session handler object to not accept 'deleted' as a 
session ID.

Either PHP should be updated to set the value of the 
cookie to an empty string as the setcookie() command 
insinuates it will be, or the manual entries for 
session_destroy(), setcookie(), and 
session_set_save_handler() should be updated to explain 
the current behavior.

Thank you :)


Headers sent in request response to illustrate actual 
values of cookies:

HTTP/1.1 302 Found
Date: Thu, 30 Jun 2005 15:30:12 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_ssl/2.8.22 
OpenSSL/0.9.7d
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, 
post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=deleted; expires=Wed, 30-Jun
-04 15:30:11 GMT; path=/; domain=.foo.bar
Set-Cookie: somecookie=deleted; expires=Wed, 30-Jun
-04 15:41:00 GMT; path=/; domain=.foo.bar
location: /index.php
Transfer-Encoding: chunked
Content-Type: text/html


Reproduce code:
---------------
Source code:

session_start();

setcookie('PHPSESSID', '', time() - 172800, '/', '.foo.bar');
setcookie('somecookie', '', time() - 172800, '/', '.foo.bar');

$_SESSION = array();
session_destroy();

header('location: /index.php');


Expected result:
----------------
The value of PHPSESSID cookie (or any other cooke) would 
be set to '' (empty string)


Actual result:
--------------
The value of PHPSESSID cookie (or any other cooke) is 
set to 'deleted' resulting in many users sharing the 
same session ID.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-08 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-04-22 22:49 UTC] oliver at netconcepts dot com
This is not working in PHP 5.2.5

setrawcookie("Cookiename", "");

results in:

Set-Cookie: Cookiename=deleted; expires=Mon, 23-Apr-2007 22:47:55 GMT
 [2008-09-24 13:14 UTC] taras dot di at gmail dot com
I can confirm for 5.2.5
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Feb 19 13:01:30 2020 UTC