|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77238 session_set_cookie_params behavior change in PHP 7.2
Submitted: 2018-12-04 18:58 UTC Modified: 2018-12-08 06:26 UTC
From: john at zerocrates dot org Assigned:
Status: Not a bug Package: Session related
PHP Version: 7.2.12 OS: Linux
Private report: No CVE-ID: None
 [2018-12-04 18:58 UTC] john at zerocrates dot org
Under PHP 7.1, calling session_set_cookie_params with an active session will successfully change the cookie sent to the client, IF session_regenerate_id is called afterward.

In PHP 7.2, calling session_set_cookie_params with an active session emits a warning:

Warning:  session_set_cookie_params(): Cannot change session cookie parameters when session is active

Additionally, the cookie is _not_ changed.

I've seen this described as a change which merely emits warnings informing developers of patterns that never worked in the first place and just failed silently (for example, the comments on #75650), but in this case presumably the function is bailing out after printing the warning, and the actual behavior is changed.

I was unable to find any discussion of this change in the migration documentation for PHP 7.2.

Test script:
$params = session_get_cookie_params();
session_set_cookie_params(100, $params['path'], $params['domain'], $params['secure']);

// Under 7.1 this emits a Set-Cookie with the 100-second lifetime respected

// Under 7.2, it produces a warning and the Set-Cookie does not respect the new lifetime


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-04 19:12 UTC] john at zerocrates dot org
Bug #76358 seems to be a different facet of the same basic problem or change.
 [2018-12-08 06:21 UTC]
-Status: Open +Status: Not a bug
 [2018-12-08 06:21 UTC]
Program must set all parameters for session before activating session from PHP 7.2.
 [2018-12-08 06:26 UTC]
Please refer to PHP 7.2's UPGRADING in the source.

Changning session parameter for active session was the main cause of the session related bugs.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Sep 19 06:03:36 2021 UTC