php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71521 session_start floods header with Set-Cookie when called multiple times
Submitted: 2016-02-04 16:07 UTC Modified: 2016-08-29 07:19 UTC
From: David dot Gausmann at measX dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 7.0.8 OS: Windows
Private report: No CVE-ID: None
 [2016-02-04 16:07 UTC] David dot Gausmann at measX dot com
Description:
------------
In a productive website of a customer I need to start/stop the session multiple times during the execution of a single PHP script.
In some cases the proxy server had thrown HTTP error 502 that the header is too long.

I've found out, that session_start always adds a Set-Cookie header, regardless of the fact that there is already exactly the same header line.

This bug has already been reported here, but is still unfixed, so I create a new bug report:
https://bugs.php.net/bug.php?id=38104
https://bugs.php.net/bug.php?id=31455

Test script:
---------------
<?php

session_name('Test');
session_cache_expire(180);
session_set_cookie_params(0, '/', '', false, true);

for($i = 0; $i < 10000; ++$i)
{
	session_start();
	session_write_close();
}

?>

Expected result:
----------------
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly

(exactly one time)

Actual result:
--------------
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
Set-Cookie: Test=68nh86r3ks6jo6tughb7d3u7a5; path=/; HttpOnly
...

(10000 times)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-02-09 13:40 UTC] laruence@php.net
I can not reproduce this... only one cookie header is sent in my box. (php-cgi)
 [2016-02-09 22:53 UTC] yohgaki@php.net
-Status: Open +Status: Feedback
 [2016-02-09 22:53 UTC] yohgaki@php.net
I've fixed that session module sending multiple set cookie headers, a year ago or so. IIRC. OS/SAPI shouldn't matter. Are you sure you're using PHP7?

[yohgaki@dev PHP-7.0]$ ./sapi/cgi/php-cgi 
<?php

session_name('Test');
session_cache_expire(180);
session_set_cookie_params(0, '/', '', false, true);

for($i = 0; $i < 10000; ++$i)
{
	session_start();
	session_write_close();
}

?>
X-Powered-By: PHP/7.0.4-dev
Set-Cookie: Test=64082c017c50d407647dd29ecb0874e4; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
 [2016-02-10 08:32 UTC] David dot Gausmann at measX dot com
-Status: Feedback +Status: Open
 [2016-02-10 08:32 UTC] David dot Gausmann at measX dot com
This is strange:
I am using the current version of XAMPP for testing (includes PHP 7.0.2).
With the script I get this output in the browser (I see that with Firebug):
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
[...]
X-Powered-By: PHP/7.0.2

But when I use the php.exe (of the XAMPP directory) in server mode (C:\xampp\php\php.exe -S 127.0.0.1:80), I get the correct output in the browser.
Set-Cookie: Test=q9s49o455gn4jeu75nht01knj6; path=/; HttpOnly
X-Powered-By: PHP/7.0.2

So the problem must be somewhere in the communication between PHP and Apache...?

Kind Regards
David Gausmann
 [2016-08-27 07:04 UTC] yohgaki@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki
 [2016-08-27 07:04 UTC] yohgaki@php.net
I think this bug is fixed already.
 [2016-08-29 07:19 UTC] David dot Gausmann at measX dot com
-PHP Version: 7.0.3 +PHP Version: 7.0.8
 [2016-08-29 07:19 UTC] David dot Gausmann at measX dot com
Hello yohgaki,

I've tested this with the current XAMPP (Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/7.0.8) and the bug still occurs.
Have you really fixed something here?


Kind Regards
David Gausmann
 [2019-09-17 13:51 UTC] simon dot seyock at benndorf dot de
I can reproduce this error in the php:7.2-apache docker container.

just create a directory put the test script in there (maybe reduce it to 100) and run the docker container with `docker run -d -p 9999:80 --name cookie_error -v "$PWD":/var/www/html php:7.2-apache`

then you can open the script at port 9999 and observe the multiple set headers.
 [2019-09-17 13:59 UTC] simon dot seyock at benndorf dot de
It also happens with the php:7.3-apache container.
 [2020-06-30 13:44 UTC] nanne at huiges dot nl
This bug is set as closed because yohgaki remarked it was fixed. The example by simon clearly shows that years later it still occurs, so I suppose this should be opened, as well as the other bugs referenced.

I can _not_ reproduce this with an nginx/fpm combination but the docker example mentioned above clearly shows the issue for 7.2 and testing it with the same command but the image php:7.4-apache also gives the error.

It could be a fpm vs mod-php issue?

example with the provided test script (but with less iterations)

----------------
$ docker run -d -p 9999:80 --name cookie_error -v "$PWD":/var/www/html php:7.4-apache

$ curl http://127.0.0.1:9999/test_script.php -v*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 9999 (#0)
> GET /test_script.php HTTP/1.1
> Host: 127.0.0.1:9999
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Tue, 30 Jun 2020 13:39:49 GMT
< Server: Apache/2.4.38 (Debian)
< X-Powered-By: PHP/7.4.7
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Set-Cookie: Test=23d3c1c313718547312376035819a63e; path=/; HttpOnly
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host 127.0.0.1 left intact
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon Jan 30 16:05:53 2023 UTC