php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74548 Session name and session id binding
Submitted: 2017-05-06 09:46 UTC Modified: 2018-05-30 10:26 UTC
From: gollumben at gmx dot de Assigned:
Status: Not a bug Package: Session related
PHP Version: 7.0.18 OS: Debian GNU/Linux 8 (jessie)
Private report: No CVE-ID: None
 [2017-05-06 09:46 UTC] gollumben at gmx dot de
Description:
------------
When starting a session with a certain name, closing it and starting a session with a different name, the session ID is not changed. I find this misleading. I use cookies for the session ID storage and with this procedure there will be two cookies with different names with the same session ID.

In my opinion, PHP should create a new session ID for a new session with a different name. This also makes makes sense from a different point of view: When starting a session with a different name, PHP will want to look for the cookie with the other name.

Admitting, the practice of using multiple sessions within one script is not be the best.

Test script:
---------------
session_name("session1");
session_start();

echo session_name() ." ". session_id() ."<br>";

session_write_close();


session_name("session2");
session_start();

echo session_name() ." ". session_id(); //the ID will be the same as before

Expected result:
----------------
The second session ID should be different from the first one.

Actual result:
--------------
The second session ID and the first are the same.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-05-30 10:16 UTC] tony at marston-home dot demon dot co dot uk
This is not a bug.

The session name and id are different entities which can be changed independently of each other. Changing one does not automatically change the other. If you want to change the name then use session_name(). If you want to change the id then use session_regenerate_id(). The correct code to do what you want is as follows:

session_start();         // obtains $_SESSION array
… do stuff
session_name('newname'); // change session name only
session_regenerate_id(); // change session id only
session_write_close();   // required otherwise the next call will to
                         // session_start() will fail
session_start();         // starts session with new name and id and
                         // old $_SESSION array
 [2018-05-30 10:26 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2018-05-30 10:26 UTC] requinix@php.net
.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Apr 09 05:01:23 2020 UTC