php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72940 SID always return "name=ID", even if session cookie exists
Submitted: 2016-08-25 10:18 UTC Modified: 2016-08-30 07:27 UTC
From: archinf at archinform dot de Assigned: yohgaki
Status: Closed Package: Session related
PHP Version: 7.0.10 OS:
Private report: No CVE-ID:
 [2016-08-25 10:18 UTC] archinf at archinform dot de
Description:
------------
---
From manual page: http://www.php.net/session.constants
---
SID:
Constant containing either the session name and session ID in the form of "name=ID" or empty string if session ID was set in an appropriate session cookie. 

This worked in all previous versions (up to 5.6), but after update to php7 SID even contains value "name=ID" when a session cookie exists. 
In my PHP code cookies are used for sessions as default and as fallback (if user disables Cookies) session ID is transferred in the URL. But now the session ID is transferred everytime, because SID always contains "name=ID" 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-25 10:43 UTC] cmb@php.net
That might be related to bug #71974.
 [2016-08-25 10:54 UTC] archinf at archinform dot de
php.ini main session related settings:

session.save_handler = files
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 0
session.name = ID
session.auto_start = 0
session.use_trans_sid = 0
 [2016-08-25 11:00 UTC] archinf at archinform dot de
@cmb.php.net:

in bug #71974 session.use_trans_sid is set to 1 (in my case 0)
 [2016-08-27 05:10 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2016-08-27 05:10 UTC] yohgaki@php.net
It's oversight. However, IMHO SID should be always defined as it might break apps define SID constant.
 [2016-08-27 07:37 UTC] yohgaki@php.net
I'll fix this because some users may be relying on the feature that SID being empty when there is session ID cookie.
 [2016-08-29 09:08 UTC] archinf at archinform dot de
@yohgaki: Thanks, as workaround I check for the meanwhile session cookie existence (and SID match) with something like ...if(!((isset($_COOKIE[session_name()]))&&($_COOKIE[session_name()]==session_id()))){...
 [2016-08-29 09:19 UTC] archinf at archinform dot de
On dealing with SID following further question araised: What happens if session id is defined by cookie AND Url parameter (with different values)? Does PHP any kind of predefined priority/error handling in such a case?
 [2016-08-30 07:01 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b5f2f6fbd802ad3bc4fb37185e9e776bb089db56
Log: Fixed bug #72940 SID always return "name=ID", even if session cookie exist
 [2016-08-30 07:01 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2016-08-30 07:27 UTC] yohgaki@php.net
Cookie has priority when session.use_cookies=1.
 [2016-08-31 23:12 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc797d4fc3e6de1a21cbe91f810767cc491c7696
Log: Fix bug #72940 properly. Reduce needless branches
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cc797d4fc3e6de1a21cbe91f810767cc491c7696
Log: Fix bug #72940 properly. Reduce needless branches
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b5f2f6fbd802ad3bc4fb37185e9e776bb089db56
Log: Fixed bug #72940 SID always return "name=ID", even if session cookie exist
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Mon Feb 20 22:01:35 2017 UTC