php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73245 session_start() doesn't start the session if headers have been sent
Submitted: 2016-10-04 17:40 UTC Modified: 2016-10-13 22:56 UTC
Votes:4
Avg. Score:4.0 ± 1.0
Reproduced:2 of 4 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: php at duncanc dot co dot uk Assigned: yohgaki (profile)
Status: Wont fix Package: Session related
PHP Version: 7.1.0RC3 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2016-10-04 17:40 UTC] php at duncanc dot co dot uk 
Description:
------------
In `7.0` and `5.6` calling `session_start()` even if headers have been sent still made `$_SESSION` usable, but `7.1` changes this behaviour.

Test script:
---------------
session_start();
$_SESSION['blah'] = 'foo';
var_dump($_SESSION);
session_write_close();

session_start();
var_dump($_SESSION);

Expected result:
----------------
The dumped array should be the same both times:
array(1) {
  ["blah"]=>
  string(3) "foo"
}

Actual result:
--------------
The second array dump is empty

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-05 10:51 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: yohgaki
 [2016-10-05 10:51 UTC] cmb@php.net 
According to `git bisect` the offending commit is
<https://github.com/php/php-src/commit/c200e8e1>.

Yasuo, can you please have a look at this issue.
 [2016-10-05 12:17 UTC] yohgaki@php.net
-Status: Verified +Status: Assigned
 [2016-10-05 12:17 UTC] yohgaki@php.net 
@cmd Thank you for investigation.
I'll look into this, but it seems I need more info. It works for me... 
Perhaps, SAPI involved? 

[yohgaki@dev PHP-7.1]$ ./php-bin 
<?php
session_start();
$_SESSION['blah'] = 'foo';
var_dump($_SESSION);
session_write_close();

session_start();
var_dump($_SESSION);
?>


array(1) {
  ["blah"]=>
  string(3) "foo"
}

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at -:4) in - on line 7

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at -:4) in - on line 7
array(1) {
  ["blah"]=>
  string(3) "foo"
}
 [2016-10-05 15:02 UTC] cmb@php.net 
Indeed, it appears to break only if there is already some output
before the first session_start(). Try:

    <?php
    echo "start\n";
    session_start();
    $_SESSION['blah'] = 'foo';
    var_dump($_SESSION);
    session_write_close();
    
    session_start();
    var_dump($_SESSION);
 [2016-10-06 08:05 UTC] yohgaki@php.net 
Related To: Bug #71038
 [2016-10-06 08:07 UTC] yohgaki@php.net 
Not initializing $_SESSION by 2nd session_start() is not a bug actually, but it should fail to initialize $_SESSION always when session_start() cannot be started. This is the objective for the bug fix commit mentioned.

So real bug here is session module initializes $_SESSION even if it failed to start when there is no output before 1st session_start().

This report's bug won't be fixed. I re-opened bug #71038.
 [2016-10-06 08:07 UTC] yohgaki@php.net
-Status: Assigned +Status: Wont fix
 [2016-10-11 16:26 UTC] nikic@php.net 
@yasuo: As noted on the linked PR, it would be good to add an UPGRADING note about this.
 [2016-10-13 22:56 UTC] yohgaki@php.net 
@nikic 
Done. Thanks.
 [2017-04-01 16:22 UTC] daarthv at yahoo dot com 
In my case session_set_cookie_params() causes problem, if i set domain, secure or httponly session is not set and cookie not sent, but if i leave only lifetime and path works ok. Any ideas how to fix it?
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 12:00:01 2025 UTC