php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #33868 Session cookies are set only once
Submitted: 2005-07-26 17:28 UTC Modified: 2005-07-26 20:53 UTC
From: wglynn at freedomhealthcare dot org Assigned: sas (profile)
Status: Not a bug Package: Session related
PHP Version: 4.3.11 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2005-07-26 17:28 UTC] wglynn at freedomhealthcare dot org 
Description:
------------
After switching webservers (and upgrading PHP) over the weekend for an internal application, our users began reporting that they were getting logged out randomly. After triple-checking our code and web server setup, we started digging through the PHP source, and eventually discovered the issue.

In PHP 4.3.4 (and versions before and after 4.3.4), setting a nonzero value of session.cookie_lifetime either via php.ini or session_set_cookie_params() resulted in a cookie that expires a certain number of seconds after the current page load. This has the net effect of session.cookie_lifetime setting an inactivity timeout.

In PHP 4.3.11, session_start() sends Set-Cookie: once, with an expiration time governed by session.cookie_lifetime. (I believe this behavior changed for PHP 4.3.9.) So, if session.cookie_lifetime is 20 minutes, the cookie will expire and destroy the session 20 minutes after login, regardless of any activity.

Bug #30232 attempted to change this behavior and got a patch committed, but it was ripped out, saying that the behavior of setting the cookie once is intentional and correct. I feel that this behavior is completely wrong for cases where session.cookie_lifetime is nonzero; there is no situation where sessions should expire a fixed time after setting them, but many situations where sessions should expire a fixed time after a call to session_start().

My proposed fix is to always send cookies if session.cookie_lifetime is nonzero.

Reproduce code:
---------------
<?php

header('Refresh: 10');
session_set_cookie_params(15);
session_start();

if (!isset($_SESSION['i'])) {
  $_SESSION['i'] = 1;
  echo 'Started session.';

} else {
  $_SESSION['i']++;
  echo "Page load number {$_SESSION['i']}.";
}


Expected result:
----------------
"Page load number" should keep incrementing for as long as the browser keeps refreshing the page within the cookie lifetime.

Actual result:
--------------
The cookie expires 15 seconds after the first page load, destroying the session.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-26 20:37 UTC] sniper@php.net 
You've got confused with session maxlife and cookie max life.
There's no bug here.
 [2005-07-26 20:53 UTC] wglynn at freedomhealthcare dot org 
I am aware that session.gc_maxlifetime can have a similar effect, however:

1. session.cookie_lifetime gives a much finer degree of control over the duration of the session, as different lifetimes can be assigned based on user-specified criteria (i.e. inside hosts get one timeout, outside hosts get another)
2. This is a deviation from earlier behavior that was not documented in the master ChangeLog
3. This change of behavior provides no benefit for non-zero values of session.cookie_lifetime and breaks existing software that expects session_start() to reset the cookie expiration
4. If the new behavior is desired (for whatever reason), it can be synthesized under the old behavior. The opposite is not true.

As I see it, the bottom line is that having session_start() send a cookie only when the browser did not supply one reduces functionality, breaks some existing software, and helps nothing when cookie_lifetime is nonzero. Changing this behavior back would be trivial, and would give a tangible benefit.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue May 14 20:01:31 2024 UTC