PHP :: Bug #35233 :: session_name gives bad result with session.auto

Bug #35233	session_name gives bad result with session.auto_start=true
Submitted:	2005-11-16 04:50 UTC	Modified:	2005-11-16 15:49 UTC
From:	gandalf at flock dot com	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5.0.5	OS:	*
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	gandalf at flock dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2005-11-16 04:50 UTC] gandalf at flock dot com

Description:
------------
As mentioned in bugs 1988 and 16389 when you set up session.auto_start=true, then you can't play with session_name.
It's ok.

But if so, then session_name() should return the REAL name, not the false one.

It's totally misleading to accept session name change (without an Exception).

Reproduce code:
---------------
1) Set session.auto_start=true in php.ini
2) 
<?php

session_name('foo');
session_start();

print('Session name: '.session_name());
?>

Expected result:
----------------
Session name: PHPSESSID

Actual result:
--------------
Session name: foo


'session_name()' should give the real session cookie name.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-11-16 10:24 UTC] tony2001@php.net

Why is that a bug?
session_name() *does* change the session name, but it's too late, because session has already been started.
So the session_name() behaviour is correct.

[2005-11-16 15:49 UTC] gandalf at flock dot com

> So the session_name() behaviour is correct.

I understand your point of view, but try to understand mine. When a coder works on the session stuff, he can't know about all possible envoirnments where the code will be launched. When he finds session_name function and it's description, he simply uses it to (usually) check if session cookie exists.

So it usually will looks like it was in MediaWiki (http://bugzilla.wikimedia.org/show_bug.cgi?id=3990) - in some place they choose session name, and later they simply check if session cookie exists (isset($_COOKIE[session_name()])) - this will work bad if session.auto_start is on.

Even more. I have no chance to get the real name.

So I'd propose either to document this in session_name docs, and add ability to check the REAL name (for example by providing get_session_name(true) to get the real one)?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 18:01:28 2024 UTC