php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73140 session_regenerate_id overrides setcookie if names match
Submitted: 2016-09-21 23:02 UTC Modified: 2016-09-26 20:54 UTC
From: evgeny dot budakov+phpnet at gmail dot com Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 7.0Git-2016-09-21 (Git) OS: Ubuntu
Private report: No CVE-ID: None
 [2016-09-21 23:02 UTC] evgeny dot budakov+phpnet at gmail dot com
Description:
------------
session_regenerate_id overrides setcookie if names match but domains may differ. In my case domain names were ('domain.com' vs '.domain.com').

The issue arises when I try to delete cookie via setcookie function (on domain 'domain.com') and immediately after I have a call to session_regenerate_id (on domain '.domain.com')


Test script:
---------------
session_name('test');
session_start();

// PHP 5
setcookie('test', '', time()-10000000, '/', 'thrivemarket.com'); // outputs Set-cookie test = deleted header(thrivemarket.com)
session_regenerate_id(true); // Outputs Set-cookie test = (session id) header (.thrivemarket.com)


// PHP 7
setcookie('test', '', time()-10000000, '/', 'thrivemarket.com');  // <--- THIS IS THE BUG, unlike in PHP 5 this call is ignored in PHP 7
session_regenerate_id(true); // Outputs Set-cookie test = (session id) header (.thrivemarket.com)

Expected result:
----------------
In PHP 7 I expect the "Set-cookie test = deleted" header to be output just as it does in PHP 5

Actual result:
--------------
"Set-cookie test = deleted" is not output

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-22 01:24 UTC] yohgaki@php.net
-Status: Open +Status: Not a bug
 [2016-09-22 01:24 UTC] yohgaki@php.net
I'm not sure what problem you have.
However, how to treat malformed domain in Set-Cookie header is up to browser. i.e. When you send cookies from different scripts, this could happen.

Session module removes old cookies to avoid sending multiple session ID cookies. PHP does not use cookie attribute to distinguish cookies. Correct(Logical) behavior is to override any cookie previously defined. It does as it supposed for both PHP 5.x and 7.x.

If you still think there is a bug, please provide complete script and describe issue in detail, reproducing procedure especially.

------------------------------------------
[yohgaki@dev php.net]$ cat t.php
<?php
session_name('test');
session_set_cookie_params(0, '/', '.domain.com');

session_start();

setcookie('test', '', time()-10000000, '/', 'domain.com'); 

session_regenerate_id(true); 



------------------------------------------

GET /t.php HTTP/1.1
Host: domain.com:8888
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ja,en-US;q=0.8,en;q=0.6
Cookie: test=4f94c1fbe752009ee1ee76a53e52c8c5
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Content-type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Host: domain.com:8888
Pragma: no-cache
Set-Cookie: test=dbb8600a89d76e3a901dea50015d179c; path=/; domain=.domain.com
X-Powered-By: PHP/5.6.27-dev

------------------------------------------

GET /t.php HTTP/1.1
Host: domain.com:8888
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: ja,en-US;q=0.8,en;q=0.6
Cookie: test=4f94c1fbe752009ee1ee76a53e52c8c5
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Connection: close
Content-type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Host: domain.com:8888
Pragma: no-cache
Set-Cookie: test=de7b1b94f21ab18ebb40e738532b63b2; path=/; domain=.domain.com
X-Powered-By: PHP/7.0.12-dev

------------------------------------------
 [2016-09-26 20:54 UTC] evgeny dot budakov+phpnet at gmail dot com
I will provide with additional explanation with full headers output and script source. 

Issue I described doesn't have to deal with browser implementation but rather with proper un setting of a cookie that was previously set.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jul 31 19:01:27 2021 UTC