php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #76413 session_name() documentation is wrong
Submitted: 2018-06-05 09:49 UTC Modified: 2018-06-06 10:19 UTC
Votes:4
Avg. Score:3.5 ± 1.7
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: tony at marston-home dot demon dot co dot uk Assigned:
Status: Verified Package: Session related
PHP Version: 7.2.6 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2018-06-05 09:49 UTC] tony at marston-home dot demon dot co dot uk 
Description:
------------
The manual page for session_name() has recently been updated to include the following:

"When new session name is supplied, session_name() modifies HTTP cookie (and output contents when session.transid is enabled). Once HTTP cookie is sent, session_name() raises error."

I have run several tests, and I cannot see this behaviour, nor has it ever been the behaviour in all past versions of PHP.

Changing the session name does not create or modify any cookies. Session cookies are only created with session-start() and modified with session_regenerate_id().

It is also possible to create a cookie before calling session_name('newname') without any error.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-05 10:03 UTC] requinix@php.net
-Assigned To: +Assigned To: yohgaki
 [2018-06-06 09:28 UTC] yohgaki@php.net
-Status: Assigned +Status: Not a bug
 [2018-06-06 09:28 UTC] yohgaki@php.net 
I'm not sure who does the update, but sentence is correct.
Cookie sent checks(session_id() and session_name()) were there for a long time.

Try "php -a", then
echo 1
session_name('new'); // or session_id('new');
 [2018-06-06 09:50 UTC] requinix@php.net
-Status: Not a bug +Status: Verified -Assigned To: yohgaki +Assigned To:
 [2018-06-06 09:50 UTC] requinix@php.net 
The problem is the docs now say "session_name() modifies HTTP cookie", which sounds like calling session_name *changes* the cookie after it has already been set with session_start(). It does not. But I think I understand the intention behind this addition: it's trying to say that session_name (and thus session.name) are *used* in the cookie, so changing the value will affect what the cookie *will include* when the session *is started later*.

I don't know that this addition even needs to be in the documentation for session_name() at all - it should be explained in the rest of the session docs already. But in order to keep it, a better explanation could be

> session_name() controls the name portion of the HTTP cookie used for sessions (if using cookies), and when a new
> session name is supplied then session_start() will use the new name. session_name() cannot be used when a session
> has already started, but the session can be closed, the name changed, and the session restarted. session_name()
> also cannot be used if headers have already been sent.

(see also bug #76358)

Then similar language for session_id() and the other functions that change session INI settings.
 [2018-06-06 09:57 UTC] yohgaki@php.net 
Oops. These were added since it simply does not work if cookie is already sent.
TranSID wouldn't work correctly once output is started also.

Since it does no work anyway, it's just a error notification.
 [2018-06-06 09:58 UTC] tony at marston-home dot demon dot co dot uk 
If you are not sure who does the update then you need to check. Try running the following code:
<?php
$dump = print_r($_COOKIE, true);
$name = session_name();
session_name('newname');  // cookie will not show up until next run
exit;

Now try running it again. You will see that $_COOKIE does NOT contain an entry for 'newname'. This is because the cookie is NOT created by session_name(). It is only created with the subsequent call to session_start() when both the name and id are available.

The documentation is NOT accurate, therefore it should be amended.
 [2018-06-06 10:08 UTC] yohgaki@php.net 
"Already sent cookie" was checked at session_start() previously. Therefore I forgot about added cookie check.

Older PHPs had cookie already sent errors. PHP 7.2 notifies unworkable code a bit earlier. That's all.
 [2018-06-06 10:19 UTC] yohgaki@php.net 
PHP 7.2' session module detects unworkable / problematic session function usages as it should. If I miss some descriptions, please let me know.
 [2018-06-06 10:42 UTC] tony at marston-home dot demon dot co dot uk 
You cannot prove that session_name() creates or modifies any cookies, so the documentation which says that it does is not accurate and should be changed.

When you say "PHP 7.2 session module detects unworkable / problematic session function usages as it should" you are not describing any behaviour which resulted in any bug reports, you are only describing behaviour which you *thought* could cause problems. Your fix did not actually solve any reported problems, all it did was break perfectly valid code which had run successfully for the past 15 years.

You should not meddle with PHP functions to fix imaginary problems when your fixes turn out to cause real problems.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC