php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75554 session_regenerate_id() causes duplicate Set-Cookie header to be sent
Submitted: 2017-11-22 12:37 UTC Modified: 2020-03-25 15:48 UTC
Votes:12
Avg. Score:4.2 ± 0.9
Reproduced:10 of 11 (90.9%)
Same Version:1 (10.0%)
Same OS:2 (20.0%)
From: arve at coretrek dot no Assigned:
Status: Analyzed Package: Apache2 related
PHP Version: 7.1.11 OS: Linux Mint 18, Ubuntu 12.04 LTS
Private report: No CVE-ID: None
View Developer Edit
 [2017-11-22 12:37 UTC] arve at coretrek dot no 
Description:
------------
When calling session_start() and then session_regenerate_id(), PHP will send two Set-Cookie headers, one containing the old session id and the other containing the new session id. 

Testet on: 
* PHP 7.1.11 on Ubuntu 12.04 (installed via phpbrew) 
* PHP 7.0.22-0ubuntu0.16.04.1 on Linux Mint 18

Test script:
---------------
First, create sessiontest.php: 
<?php
session_start();
if (!isset($_SESSION['SessionInitiated'])) {
    session_regenerate_id();
    $_SESSION['SessionInitiated'] = true;
}
?>

Then, access sessiontest.php through Apache and inspect response headers, e.g. by using curl: 
curl -sv http://localhost/sessiontest.php  > /dev/null
*   Trying 127.0.1.1...
* Connected to localhost (127.0.1.1) port 80 (#0)
> GET /sessiontest.php HTTP/1.1
> Host: localhost
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 22 Nov 2017 12:07:52 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=8676mem4p76uka76ta2qq072q1; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: PHPSESSID=rvud0d79be3oa77rnbag0lmgc2; path=/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8



Expected result:
----------------
Only send one Set-Cookie header (containing the new session id). 

Actual result:
--------------
Two Set-Cookie headers are sent, one containing the old session id and the other containing the new session id. This confuses browsers and cause some browsers to continue using the old session cookie. 

In addition, if you call  var_dump(headers_list()) at the end of the script, only ONE Set-Cookie header will be listed here, even though two headers are sent.

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-10 17:14 UTC] tilmann dot bach at telekom dot de 
I can confirm this BUG. This behavior is in contrast to the RFC: https://tools.ietf.org/html/rfc6265#section-4.1.1

"Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name.  (See Section 5.2 for how user agents handle this case.)"
 [2018-05-01 20:02 UTC] pmmaga@php.net
-Status: Open +Status: Analyzed -Package: Session related +Package: Apache2 related -Assigned To: +Assigned To: pmmaga
 [2018-05-01 20:02 UTC] pmmaga@php.net 
This bug is specific to apache2. I have looked into it and have created a PR with a potential fix. You can find more details on the PR itself.
 [2018-05-01 20:12 UTC] pmmaga@php.net 
Not able to link the PR at the moment. Here's the link: https://github.com/php/php-src/pull/3231
 [2019-03-19 14:14 UTC] marthasimons8888 at gmail dot com 
Then, access sessiontest.php through Apache and inspect response headers, e.g. by using curl: 
curl -sv http://localhost/sessiontest.php  > /dev/null
*   Trying 127.0.1.1...
* Connected to localhost (127.0.1.1) port 80 (#0)
> GET /sessiontest.php HTTP/1.1
> Host: localhost
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Wed, 22 Nov 2017 12:07:52 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Set-Cookie: PHPSESSID=8676mem4p76uka76ta2qq072q1; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: PHPSESSID=rvud0d79be3oa77rnbag0lmgc2; path=/
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
I try https://goo.gl/LhppLn its work ok
 [2020-03-25 15:48 UTC] pmmaga@php.net
-Assigned To: pmmaga +Assigned To:
 [2021-04-22 16:46 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #75554 - Recreate all Set-Cookie headers from current sapi_headers
On GitHub:  https://github.com/php/php-src/pull/3231
Patch:      https://github.com/php/php-src/pull/3231.patch
 [2024-05-17 14:29 UTC] marthasimons8888 at gmail dot com 
< Pragma: no-cache
< Set-Cookie: PHPSESSID=rvud0d79be3oa77rnbag0lmgc2; path=/ 
< Content-Length: 0
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Jul 14 21:01:33 2025 UTC