php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #49725 session: Cache-Control header should not have post-check, pre-check
Submitted: 2009-09-30 18:29 UTC Modified: 2010-11-24 10:55 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: sec dot wb at heysoft dot de Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.2.11 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2009-09-30 18:29 UTC] sec dot wb at heysoft dot de 
Description:
------------
function session_start causes php to send the following line:
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

This is quite stupid because no browser does care about "post-check=0, pre-check=0". IE will ignore it, as you can read here:
http://blogs.msdn.com/ieinternals/archive/2009/07/20/Using-post_2D00_check-and-pre_2D00_check-cache-directives.aspx
It says: "http://blogs.msdn.com/ieinternals/archive/2009/07/20/Using-post_2D00_check-and-pre_2D00_check-cache-directives.aspx"

And apparently there even was a beta version of IE7 which did download all objects twice when "post-check=0, pre-check=0" was specified.

So, I wonder why it is there in nearly each php page?

Reproduce code:
---------------
<?php
	// Start a session
	if(!defined('SESSION_STARTED')) {
		session_name('a_session_id');
		@session_start();
		define('SESSION_STARTED', true);
	}
?>

Expected result:
----------------
No stupid cache control output

Actual result:
--------------
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-30 18:31 UTC] sec dot wb at heysoft dot de 
In the description I copied the link twice, wanted to write:

It says: "If both post-check and pre-check are specified and set to 0, both are entirely ignored"
 [2010-11-24 10:55 UTC] jani@php.net
-Status: Open +Status: Bogus -Package: Feature/Change Request +Package: *General Issues
 [2010-11-24 10:55 UTC] jani@php.net 
You can disable it with session_cache_limiter( FALSE );
 [2010-11-24 10:55 UTC] jani@php.net
-Package: *General Issues +Package: Session related
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 15:01:28 2024 UTC