php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43226 PHP Cookie expiration
Submitted: 2007-11-09 15:31 UTC Modified: 2007-11-11 15:01 UTC
From: bnies at bluewin dot ch Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.4 OS: Solaris 9
Private report: No CVE-ID:
 [2007-11-09 15:31 UTC] bnies at bluewin dot ch
Description:
------------
I'm not sure if it has fixed in PHP 5.2.4 but the problem is there in PHP 5.2.2.

If PHP terminates a session with session_unregister(); it sends these HTTP headers to the browser:

Set-Cookie: SQMSESSID=deleted; expires=Thu, 09-Nov-2006 13:34:48 GMT; path=/

The 'expires' option is an old option proposed by Netscape. See RFC 2109. We stumbled across a session problem with a proxy software that ignores this 'expires' option and implemented only the new 'Max-Age=0' option. The expires=olddate is also bad, because one can never know what the time on the remote side is. What if it the remote system clock more than one year behind?

Could it be a fix to send both cookie expire options to make sure a cookie gets really deleted:

Set-Cookie: SQMSESSID=deleted; expires=Thu, 09-Nov-2006 13:34:48 GMT; path=/
Set-Cookie: SQMSESSID=deleted; Max-Age=0; path=/

The problem appeared with the proxy software that ignored cookie deletion and then sent the session cookie with value "deleted" to the application which then treatened the session ID "deleted" as valid session.

See here for more details:

https://sourceforge.net/tracker/index.php?func=detail&aid=1829025&group_id=311&atid=100311


Best Regards,
Bernd Nies



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-11 15:01 UTC] derick@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

Sounds like a broken proxy to me, and the argument of a date being off is lame... you should not mess with your computer\'s time.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 09:02:23 2014 UTC