|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #76413 session_name() documentation is wrong
Submitted: 2018-06-05 09:49 UTC Modified: 2018-06-06 10:19 UTC
Avg. Score:3.5 ± 1.7
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: tony at marston-home dot demon dot co dot uk Assigned:
Status: Verified Package: Session related
PHP Version: 7.2.6 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
30 + 12 = ?
Subscribe to this entry?

 [2018-06-05 09:49 UTC] tony at marston-home dot demon dot co dot uk
The manual page for session_name() has recently been updated to include the following:

"When new session name is supplied, session_name() modifies HTTP cookie (and output contents when session.transid is enabled). Once HTTP cookie is sent, session_name() raises error."

I have run several tests, and I cannot see this behaviour, nor has it ever been the behaviour in all past versions of PHP.

Changing the session name does not create or modify any cookies. Session cookies are only created with session-start() and modified with session_regenerate_id().

It is also possible to create a cookie before calling session_name('newname') without any error.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-05 10:03 UTC]
-Assigned To: +Assigned To: yohgaki
 [2018-06-06 09:28 UTC]
-Status: Assigned +Status: Not a bug
 [2018-06-06 09:28 UTC]
I'm not sure who does the update, but sentence is correct.
Cookie sent checks(session_id() and session_name()) were there for a long time.

Try "php -a", then
echo 1
session_name('new'); // or session_id('new');
 [2018-06-06 09:50 UTC]
-Status: Not a bug +Status: Verified -Assigned To: yohgaki +Assigned To:
 [2018-06-06 09:50 UTC]
The problem is the docs now say "session_name() modifies HTTP cookie", which sounds like calling session_name *changes* the cookie after it has already been set with session_start(). It does not. But I think I understand the intention behind this addition: it's trying to say that session_name (and thus are *used* in the cookie, so changing the value will affect what the cookie *will include* when the session *is started later*.

I don't know that this addition even needs to be in the documentation for session_name() at all - it should be explained in the rest of the session docs already. But in order to keep it, a better explanation could be

> session_name() controls the name portion of the HTTP cookie used for sessions (if using cookies), and when a new
> session name is supplied then session_start() will use the new name. session_name() cannot be used when a session
> has already started, but the session can be closed, the name changed, and the session restarted. session_name()
> also cannot be used if headers have already been sent.

(see also bug #76358)

Then similar language for session_id() and the other functions that change session INI settings.
 [2018-06-06 09:57 UTC]
Oops. These were added since it simply does not work if cookie is already sent.
TranSID wouldn't work correctly once output is started also.

Since it does no work anyway, it's just a error notification.
 [2018-06-06 09:58 UTC] tony at marston-home dot demon dot co dot uk
If you are not sure who does the update then you need to check. Try running the following code:
$dump = print_r($_COOKIE, true);
$name = session_name();
session_name('newname');  // cookie will not show up until next run

Now try running it again. You will see that $_COOKIE does NOT contain an entry for 'newname'. This is because the cookie is NOT created by session_name(). It is only created with the subsequent call to session_start() when both the name and id are available.

The documentation is NOT accurate, therefore it should be amended.
 [2018-06-06 10:08 UTC]
"Already sent cookie" was checked at session_start() previously. Therefore I forgot about added cookie check.

Older PHPs had cookie already sent errors. PHP 7.2 notifies unworkable code a bit earlier. That's all.
 [2018-06-06 10:19 UTC]
PHP 7.2' session module detects unworkable / problematic session function usages as it should. If I miss some descriptions, please let me know.
 [2018-06-06 10:42 UTC] tony at marston-home dot demon dot co dot uk
You cannot prove that session_name() creates or modifies any cookies, so the documentation which says that it does is not accurate and should be changed.

When you say "PHP 7.2 session module detects unworkable / problematic session function usages as it should" you are not describing any behaviour which resulted in any bug reports, you are only describing behaviour which you *thought* could cause problems. Your fix did not actually solve any reported problems, all it did was break perfectly valid code which had run successfully for the past 15 years.

You should not meddle with PHP functions to fix imaginary problems when your fixes turn out to cause real problems.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu May 30 07:01:30 2024 UTC