php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #43439 PHP Cookie expiration (2)
Submitted: 2007-11-28 10:57 UTC Modified: 2013-04-16 19:41 UTC
From: bnies at bluewin dot ch Assigned: yohgaki
Status: Closed Package: Session related
PHP Version: 5.2.5 OS: Solaris 9
Private report: No CVE-ID:
 [2007-11-28 10:57 UTC] bnies at bluewin dot ch
Description:
------------
Concerning Bug #43226 because it was set to 'bogus' and additional comments are not allowed.

First: I did not ask for support.

The issue I submitted is concerning the HTTP headers that the PHP function session_unregister() sends to the browser.

My suggestion was to send Cookie Expires and Cookie Max-Age together when unregistering a PHP session to make sure that even with broken proxy or browser implementations the session gets terminated.

This problem came across a broken proxy implementation that only treated the Max-Age option and ignored the Expires option and then sent the session cookie with the value 'deleted' back to the PHP application which then treated it as a valid session.

See:

https://sourceforge.net/tracker/index.php?func=detail&aid=1829098&group_id=311&atid=100311

I don't mess with computer's time but some internet users might do this and change the date to use expired software licenses. I don't know if the PHP application or PHP itself sets the cookie expires date to one year in the past. Maybe setting it to 1 January 1980 00:00 GMT is the safest way.

Bye,
Bernd


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-08 21:30 UTC] jani@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2011-04-08 21:30 UTC] jani@php.net
-Package: *General Issues +Package: Session related
 [2012-03-31 03:28 UTC] yohgaki@php.net
Sounds reasonable
 [2012-03-31 03:28 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2013-01-15 08:10 UTC] narf at bofh dot bg
This has been fixed via the following pull request:

https://github.com/php/php-src/pull/238
 [2013-04-16 19:41 UTC] yohgaki@php.net
setcookie() has changed
 [2013-04-16 19:41 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 07:02:14 2014 UTC