PHP :: Bug #74548 :: Session name and session id binding

Bug #74548	Session name and session id binding
Submitted:	2017-05-06 09:46 UTC	Modified:	2018-05-30 10:26 UTC
From:	gollumben at gmx dot de	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	7.0.18	OS:	Debian GNU/Linux 8 (jessie)
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	gollumben at gmx dot de
New email:
PHP Version:		OS:

New Comment:

[2017-05-06 09:46 UTC] gollumben at gmx dot de

Description:
------------
When starting a session with a certain name, closing it and starting a session with a different name, the session ID is not changed. I find this misleading. I use cookies for the session ID storage and with this procedure there will be two cookies with different names with the same session ID.

In my opinion, PHP should create a new session ID for a new session with a different name. This also makes makes sense from a different point of view: When starting a session with a different name, PHP will want to look for the cookie with the other name.

Admitting, the practice of using multiple sessions within one script is not be the best.

Test script:
---------------
session_name("session1");
session_start();

echo session_name() ." ". session_id() ."<br>";

session_write_close();


session_name("session2");
session_start();

echo session_name() ." ". session_id(); //the ID will be the same as before

Expected result:
----------------
The second session ID should be different from the first one.

Actual result:
--------------
The second session ID and the first are the same.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-05-30 10:16 UTC] tony at marston-home dot demon dot co dot uk

This is not a bug.

The session name and id are different entities which can be changed independently of each other. Changing one does not automatically change the other. If you want to change the name then use session_name(). If you want to change the id then use session_regenerate_id(). The correct code to do what you want is as follows:

session_start();         // obtains $_SESSION array
… do stuff
session_name('newname'); // change session name only
session_regenerate_id(); // change session id only
session_write_close();   // required otherwise the next call will to
                         // session_start() will fail
session_start();         // starts session with new name and id and
                         // old $_SESSION array

[2018-05-30 10:26 UTC] requinix@php.net

-Status: Open +Status: Not a bug

[2018-05-30 10:26 UTC] requinix@php.net

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri May 10 22:01:32 2024 UTC