php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77238 session_set_cookie_params behavior change in PHP 7.2
Submitted: 2018-12-04 18:58 UTC Modified: 2018-12-08 06:26 UTC
From: john at zerocrates dot org Assigned:
Status: Not a bug Package: Session related
PHP Version: 7.2.12 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2018-12-04 18:58 UTC] john at zerocrates dot org 
Description:
------------
Under PHP 7.1, calling session_set_cookie_params with an active session will successfully change the cookie sent to the client, IF session_regenerate_id is called afterward.

In PHP 7.2, calling session_set_cookie_params with an active session emits a warning:

Warning:  session_set_cookie_params(): Cannot change session cookie parameters when session is active

Additionally, the cookie is _not_ changed.

I've seen this described as a change which merely emits warnings informing developers of patterns that never worked in the first place and just failed silently (for example, the comments on #75650), but in this case presumably the function is bailing out after printing the warning, and the actual behavior is changed.

I was unable to find any discussion of this change in the migration documentation for PHP 7.2.

Test script:
---------------
session_start();
$params = session_get_cookie_params();
session_set_cookie_params(100, $params['path'], $params['domain'], $params['secure']);
session_regenerate_id();

// Under 7.1 this emits a Set-Cookie with the 100-second lifetime respected

// Under 7.2, it produces a warning and the Set-Cookie does not respect the new lifetime

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-04 19:12 UTC] john at zerocrates dot org 
Bug #76358 seems to be a different facet of the same basic problem or change.
 [2018-12-08 06:21 UTC] yohgaki@php.net
-Status: Open +Status: Not a bug
 [2018-12-08 06:21 UTC] yohgaki@php.net 
Program must set all parameters for session before activating session from PHP 7.2.
 [2018-12-08 06:26 UTC] yohgaki@php.net 
Please refer to PHP 7.2's UPGRADING in the source.

Changning session parameter for active session was the main cause of the session related bugs.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Apr 01 08:01:31 2025 UTC