PHP :: Bug #75554 :: session_regenerate_id() causes duplicate Set-Cookie header to be sent

[2017-11-22 12:37 UTC] arve at coretrek dot no

Description:
------------
When calling session_start() and then session_regenerate_id(), PHP will send two Set-Cookie headers, one containing the old session id and the other containing the new session id. 

Testet on: 
* PHP 7.1.11 on Ubuntu 12.04 (installed via phpbrew) 
* PHP 7.0.22-0ubuntu0.16.04.1 on Linux Mint 18

Test script:
---------------
First, create sessiontest.php: 
<?php
session_start();
if (!isset($_SESSION['SessionInitiated'])) {
    session_regenerate_id();
    $_SESSION['SessionInitiated'] = true;
}
?>

Then, access sessiontest.php through Apache and inspect response headers, e.g. by using curl: 
curl -sv http://localhost/sessiontest.php  > /dev/null
*   Trying 127.0.1.1...
* Connected to localhost (127.0.1.1) port 80 (#0)
> GET /sessiontest.php HTTP/1.1
> Host: localhost
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 22 Nov 2017 12:07:52 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=8676mem4p76uka76ta2qq072q1; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: PHPSESSID=rvud0d79be3oa77rnbag0lmgc2; path=/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8



Expected result:
----------------
Only send one Set-Cookie header (containing the new session id). 

Actual result:
--------------
Two Set-Cookie headers are sent, one containing the old session id and the other containing the new session id. This confuses browsers and cause some browsers to continue using the old session cookie. 

In addition, if you call  var_dump(headers_list()) at the end of the script, only ONE Set-Cookie header will be listed here, even though two headers are sent.

[2018-04-10 17:14 UTC] tilmann dot bach at telekom dot de

I can confirm this BUG. This behavior is in contrast to the RFC: https://tools.ietf.org/html/rfc6265#section-4.1.1

"Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name.  (See Section 5.2 for how user agents handle this case.)"

[2018-05-01 20:02 UTC] pmmaga@php.net

-Status: Open +Status: Analyzed -Package: Session related +Package: Apache2 related -Assigned To: +Assigned To: pmmaga

[2018-05-01 20:02 UTC] pmmaga@php.net

This bug is specific to apache2. I have looked into it and have created a PR with a potential fix. You can find more details on the PR itself.

[2018-05-01 20:12 UTC] pmmaga@php.net

Not able to link the PR at the moment. Here's the link: https://github.com/php/php-src/pull/3231

[2019-03-19 14:14 UTC] marthasimons8888 at gmail dot com

Then, access sessiontest.php through Apache and inspect response headers, e.g. by using curl: 
curl -sv http://localhost/sessiontest.php  > /dev/null
*   Trying 127.0.1.1...
* Connected to localhost (127.0.1.1) port 80 (#0)
> GET /sessiontest.php HTTP/1.1
> Host: localhost
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 22 Nov 2017 12:07:52 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=8676mem4p76uka76ta2qq072q1; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: PHPSESSID=rvud0d79be3oa77rnbag0lmgc2; path=/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
I try https://goo.gl/LhppLn its work ok

[2020-03-25 15:48 UTC] pmmaga@php.net

-Assigned To: pmmaga +Assigned To:

[2020-07-06 09:04 UTC] seohigs3 at gmail dot com

HIGS we are a global PhD research assistance and we are the ultimate choice of every PhD research scholars. Here, you will get A to Z PhD assistance for all your research needs. As we serve as the best PhD research consultants, we are here to clarify you all your doubts regards to your research work. We can proudly say that HIGS rewarded as one of the most reliable and well-established research consultancies. If you approach HIGS we people guide you in-person or via an online method to guide you in terms of PhD admissions. We know that ‘knowledge is power’, thus we work based on the motive of giving 100%gratification for our clients. Our professionals are highly qualified and trained in various fields so that they can offer you the best PhD guidance. Since we started up HIGS, we are maintaining such great growth in PhD guidance and also in the journal paper publishing process. We have many satisfied clients in and out of India. We bring world-class services to our clients in terms of PhD admissions, University selection, Topic selection, Thesis paper writing, thesis paper editing, research paper writing, Viva process and more and more. We are bestowed with our reputed name as India’s best PhD assistance, which makes us to serve even better for our aspirants. You may think that PhD will take 5 to 6 years to complete, and finishing PhD in 3 years may be a nightmare. But at HIGS we make a unique and easy way for your research, we assure you that finishing PhD in 3 years it is possible. HIGS have the sole purpose of doing our services with 100% gratification of our clients. So we never lose our professionalism for anything. We offer entire PhD assistance and journal paper publication help, thesis writing help and more.
http://higssoftware.com/phd-research-paper-writing-services.php

[2020-07-09 08:57 UTC] phdguidancein at gmail dot com

Thanks for sharing this information. I really like .
phdguidancein India
Contact as:  <a href="http://www.phdguidancein.com/">phdguidancein chennai</a>

[2020-09-12 07:14 UTC] phdthesiswrite at gmail dot com

Thanks For Sharing by Best Thesis writers http://www.phdthesiswrite.com/

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2021 The PHP Group All rights reserved.	Last updated: Sat Apr 17 08:01:23 2021 UTC