|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #8809 Cookieless session with Header redirects
Submitted: 2001-01-19 14:44 UTC Modified: 2010-12-22 14:34 UTC
Avg. Score:3.7 ± 1.9
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: bf at ez dot no Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.0.4pl1 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: bf at ez dot no
New email:
PHP Version: OS:


 [2001-01-19 14:44 UTC] bf at ez dot no
I have code like:

if ( !isset( $Foo ) )
        session_register( "Foo" );
 print( $Foo );

Header( "Location: /index.php" );

This does not work with cookieless sessions because the session information is not added to the header() if it's a redirect. 

The header() should add the PHPSESSIONID variable to the redirection path if it contains "Location: " like it does with other URLS and forms.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-01-23 12:33 UTC] bf at ez dot no
When PHP is compiled with --enable-trans-sid  http redirects with header() does not work with cookieless sessions. 

This must be a bug. 

Here is how I fixed it with php code. The header() function should handle this if --enable-trans-sid is compiled in:

function ezheader( $string )
    $sid =& $GLOBALS["PHPSESSID"];

    if ( isset( $sid ) )
        $pos = strpos( $string, "?" );

        if ( $pos )
            $string = $string . "&PHPSESSID=$sid";
            $string = $string . "?PHPSESSID=$sid";    
    header( $string );    

This code will automatically append the session id if it exists and that enables cookieless sessions with header( "Location: " ) redirects.

 [2010-12-22 14:34 UTC]
-Status: Open +Status: Bogus -Package: Feature/Change Request +Package: *General Issues
 [2010-12-22 14:34 UTC]
You have to use the SID constant.

To be standards compliante a Location header has to contain the complete URL. The session rewriter won't touch complete URLs, so it won't touch the Location header.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Sep 28 17:03:37 2021 UTC