php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #62743 Empty, but set session cookies cause warning and cause sessions to not save
Submitted: 2012-08-03 17:40 UTC Modified: 2013-10-15 11:54 UTC
From: brianlmoon@php.net Assigned:
Status: No Feedback Package: Session related
PHP Version: 5.3.15 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: brianlmoon@php.net
New email:
PHP Version: OS:

 

 [2012-08-03 17:40 UTC] brianlmoon@php.net
Description:
------------
If a session cookie is not set, a new session id will be created and all works fine. However, if for some reason the session cookie is set, but an empty string, session_start() throws a warning and custom session handlers are called with an empty session id. In addition, no session cookies are set.

Test script:
---------------
The test script involves setting empty cookies and such. This is the user land workaround I am using for now. 

if(isset($_COOKIE[ini_get("session.name")]) && empty($_COOKIE[ini_get("session.name")])){
    // The cookie is empty. This is bad.
    unset($_COOKIE[ini_get("session.name")]);
}
session_start();


Expected result:
----------------
An empty session cookie should be treated the same as an unset session cookie.

Actual result:
--------------
Empty session cookies are treated as session ids, but warned and cause sessions to not be saved.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-27 09:00 UTC] yohgaki@php.net
-Status: Open +Status: Feedback
 [2013-06-27 09:00 UTC] yohgaki@php.net
If session cookie is empty string, cookie should be deleted.
Do you mean string looks empty? i.e. '   ' for instance.

If multiple cookie for the same name is set (i.e. set path and/or domain for 
cookie), already existing cookie may not be able to be 
overwritten by new cookie.

Your case sounds like later case. If so, it's the cookie spec and we cannot do 
much and please close this bug report.

We can try to delete all the possible pattern of path and domain for session 
cookie, but I think it's users task.
 [2013-10-15 11:54 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Jan 31 20:05:54 2023 UTC