|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74615 Unexpected session ID change on overridden SessionHandler::read() method
Submitted: 2017-05-18 15:41 UTC Modified: -
From: mikebranttx at gmail dot com Assigned:
Status: Open Package: Session related
PHP Version: 5.6.30 OS: Mac OSX 10.10.5
Private report: No CVE-ID:
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mikebranttx at gmail dot com
New email:
PHP Version: OS:


 [2017-05-18 15:41 UTC] mikebranttx at gmail dot com

PHP 5.6.30_6 CLI as installed via Homebrew on Mac. (Also reproduced in Travis CI Debian build environment with PHP 5.6.5 CLI).
xdebug 2.5.4
PHPUnit 5.7.0 (being used to run test in which error is reproduced

Loaded extensions:
bcmath, bz2, calendar, Core, ctype, curl, date, dba, dom, ereg, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, json, ldap, libxml, mbstring, mhash, mysql, mysqli, mysqlnd, odbc, openssl, pcntl, pcre, PDO, pdo_mysql, PDO_ODBC, pdo_sqlite, Phar, posix, readline, Reflection, session, shmop, SimpleXML, soap, sockets, SPL, sqlite3, standard, sysvmsg, sysvsem, sysvshm, tokenizer, wddx, xdebug, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib

Code in which issue was surfaced is available to be installed as composer package at -
 with source in GitHub at


When working with a class extending SessionHandler (UltimateSessionHandler in referenced package), There is unexpected change of session Id within overridden read() method between the session ID passed as argument to the method that takes place after parent::read() is called.  This happens on line 53 of UltimateSessionHandler where parent::read() is called and can be reproduced by either evaluating session_id() in debug session immediately after this call or calling session_id().

This issue has only been reproduced against PHP 5.6.30 when running unit (integration) tests. This library is tested against PHP 7.0, 7.1, and 7.2 (nightly) in CI environment and this problem is not surfaced in any of these environments.

This may possibly be related to closed bug:

But in my case, I am not trying to provide custom session ID, but rather use session ID's generated by PHP.

Test script:
Pertinent part of unit test script (tests/UltimateSessionLibraryIntegrationTest.php):

Starting at line 121:

121        $handler = new UltimateSessionHandler($handlerConfig);

132        $manager = new UltimateSessionManager($managerConfig, $changeIdCallback);
138        $this->assertEquals('', session_id());
139        $manager->startSession();

Note the above unit test is run in an isolated process form main test execution.

startSession() above triggers session_start() at src/UltimateSessions/UltimateSessionsManager.php line 148, where first line of startSession method is as follows:

148        $result = session_start();

The session_start() process then triggers UltimateSessionHandler::read() (src/UltimateSessions/UltimateSessionHandler.php) an overridden method for \SessionHandler::read().  The code for this method is:

50    public function read($sessionId)
51    {
52        $this->validateSessionId($sessionId);
53        $sessionData = parent::read($sessionId);
54        if($this->config->useEncryption) {
55            return $this->decrypt($sessionId, $sessionData);
56        }
57        return $sessionData;
58    }

It is after line 53 executes call to parent::read() that evaluation of session_id() changes from value passed in method argument to a new session ID value.

Expected result:
During session_start(), session ID passed to overridden read() method in class extending SessionHandler would be expected to be the same as session ID returned from session_id() call after session_start() has completed when parent::read() is called from method.

Code works as expected in PHP 7.0.x, 7.1.x and nightly builds as shown from most recent build -

Note: you can see failed tests under PHP 5.6.5 build that relate to this issue.

Actual result:
Immediately after call to parent::read() in overriding method, session ID value as returned from session_id() differs from the value passed as argument to the read() method.


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC