php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78858 session_set_cookie_params() can't be used with php_admin_*
Submitted: 2019-11-22 17:03 UTC Modified: 2019-11-25 17:10 UTC
From: pajomasoma at gmail dot com Assigned:
Status: Open Package: PHP options/info functions
PHP Version: 7.3.12 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-11-22 17:03 UTC] pajomasoma at gmail dot com
Description:
------------
session_set_cookie_params() fails if one of the setting below has been set by php_admin_flag/php_admin_value, even if not trying to change them.

session.httponly
session.secure
session.samesite

Not clear if this is intended behavior. I expected to be able to use session_set_cookie_params() if not trying to change from what was set by php_admin_flag/php_admin_value. Instead, it fails, ignoring other values that could have been set (see test script for samesite setting example).

Test script:
---------------
// php_admin_flag[session.cookie_httponly] = on
// php_admin_flag[session.cookie_secure] = on 

print_r($cookieParams = session_get_cookie_params());

$cookieParams['samesite'] = 'Lax';
var_dump(session_set_cookie_params($cookieParams));

print_r(session_get_cookie_params());

Expected result:
----------------
Array
(
    [lifetime] => 0
    [path] => /
    [domain] => 
    [secure] => 1
    [httponly] => 1
    [samesite] => 
)
bool(true)
Array
(
    [lifetime] => 0
    [path] => /
    [domain] => 
    [secure] => 1
    [httponly] => 1
    [samesite] => Lax
)

Actual result:
--------------
Array
(
    [lifetime] => 0
    [path] => /
    [domain] => 
    [secure] => 1
    [httponly] => 1
    [samesite] => 
)
bool(false)
Array
(
    [lifetime] => 0
    [path] => /
    [domain] => 
    [secure] => 1
    [httponly] => 1
    [samesite] => 
)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-22 17:43 UTC] fgfgfgfdf at somewhere dot com
just don't use session_set_cookie_params() when you want to read and ther is session_get_cookie_params()
 [2019-11-25 11:54 UTC] pajomasoma at gmail dot com
Not trying to read the values.

The issue is if one tries to use session_set_cookie_params() when a setting has been locked with php_admin_*.

For example, it's not possible to change session.httponly using the $httpOnly parameter of session_set_cookie_params, if session.secure was locked with php_admin_flag — even if the value on the session_set_cookie_params() call is the same one.
 [2019-11-25 17:10 UTC] cmb@php.net
session_set_cookie_params() walks through all given options in the
order lifetime, path, domain, secure, httponly and samesite, and
tries to change the ini setting (without checking whether the new
value is different).  On the first failed attempt to do so, the
function returns.

You can just unset those options which are not allowed to be
changed.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Apr 10 10:01:24 2020 UTC