Grokbase Groups PHP php-internals November 2011
FAQ
Hello,

Calling session_regenerate_id() inside a same request will generate
multiple Set-Cookie headers

example code:
<?
session_start();
session_regenerate_id();
session_regenerate_id();
?>

will result in, e.g.:
Set-Cookie: PHPSESSID=d8afvidkqp9jd4kns8ij976o72; path=/
Set-Cookie: PHPSESSID=lkjla7kvotnfhutb43llcirj61; path=/

As per rfc6265, it seems incorrect:
"Servers SHOULD NOT include more than one Set-Cookie header field in
the same response with the same cookie-name."

And is causing errors on some Blackberry and IE8:
http://anvilstudios.co.za/blog/php/session-cookies-faulty-in-ie8/
http://supportforums.blackberry.com/t5/Web-and-WebWorks-Development/HTTPS-and-php-session-regenerate-id/m-p/125562

It looks like the culprit is in ext/session/session.c:
/* 'replace' must be 0 here, else a previous Set-Cookie
header, probably sent with setcookie() will be replaced! */
sapi_add_header_ex(ncookie.c, ncookie.len, 0, 0 TSRMLS_CC);
where 'replace' is intentionally set to 0 while everywhere else it is
called with replace = 1 (or via sapi_add_header())

Can someone explain me why we intentionally have that behavior ?

Cheers,
Patrick

Search Discussions

  • Paul Dragoonis at Nov 15, 2011 at 10:13 pm

    On Tue, Nov 15, 2011 at 10:09 PM, Patrick ALLAERT wrote:
    Hello,

    Calling session_regenerate_id() inside a same request will generate
    multiple Set-Cookie headers

    example code:
    <?
    session_start();
    session_regenerate_id();
    session_regenerate_id();
    ?>

    will result in, e.g.:
    Set-Cookie: PHPSESSID=d8afvidkqp9jd4kns8ij976o72; path=/
    Set-Cookie: PHPSESSID=lkjla7kvotnfhutb43llcirj61; path=/

    As per rfc6265, it seems incorrect:
    "Servers SHOULD NOT include more than one Set-Cookie header field in
    the same response with the same cookie-name."

    And is causing errors on some Blackberry and IE8:
    http://anvilstudios.co.za/blog/php/session-cookies-faulty-in-ie8/
    http://supportforums.blackberry.com/t5/Web-and-WebWorks-Development/HTTPS-and-php-session-regenerate-id/m-p/125562

    It looks like the culprit is in ext/session/session.c:
    /* 'replace' must be 0 here, else a previous Set-Cookie
    header, probably sent with setcookie() will be replaced! */
    sapi_add_header_ex(ncookie.c, ncookie.len, 0, 0 TSRMLS_CC);
    where 'replace' is intentionally set to 0 while everywhere else it is
    called with replace = 1 (or via sapi_add_header())

    Can someone explain me why we intentionally have that behavior ?
    Patrick, I don't know the reason why this is, but if it's filed as a
    bug then i'm happy to patch it!.
    - Paul.
    Cheers,
    Patrick

    --
    PHP Internals - PHP Runtime Development Mailing List
    To unsubscribe, visit: http://www.php.net/unsub.php
  • Patrick ALLAERT at Nov 15, 2011 at 10:51 pm

    2011/11/15 Paul Dragoonis <dragoonis@gmail.com>:
    On Tue, Nov 15, 2011 at 10:09 PM, Patrick ALLAERT
    wrote:
    Hello,

    Calling session_regenerate_id() inside a same request will generate
    multiple Set-Cookie headers

    example code:
    <?
    session_start();
    session_regenerate_id();
    session_regenerate_id();
    ?>

    will result in, e.g.:
    Set-Cookie: PHPSESSID=d8afvidkqp9jd4kns8ij976o72; path=/
    Set-Cookie: PHPSESSID=lkjla7kvotnfhutb43llcirj61; path=/

    As per rfc6265, it seems incorrect:
    "Servers SHOULD NOT include more than one Set-Cookie header field in
    the same response with the same cookie-name."

    And is causing errors on some Blackberry and IE8:
    http://anvilstudios.co.za/blog/php/session-cookies-faulty-in-ie8/
    http://supportforums.blackberry.com/t5/Web-and-WebWorks-Development/HTTPS-and-php-session-regenerate-id/m-p/125562

    It looks like the culprit is in ext/session/session.c:
    /* 'replace' must be 0 here, else a previous Set-Cookie
    header, probably sent with setcookie() will be replaced! */
    sapi_add_header_ex(ncookie.c, ncookie.len, 0, 0 TSRMLS_CC);
    where 'replace' is intentionally set to 0 while everywhere else it is
    called with replace = 1 (or via sapi_add_header())

    Can someone explain me why we intentionally have that behavior ?
    Patrick, I don't know the reason why this is, but if it's filed as a
    bug then i'm happy to patch it!.
    Well, if that's a valid bug, I could have patched it myself, the thing
    is that it really looks intentional which makes me think it is not a
    bug.
    Hence I asked the question on internals before submitting a bug about it.

    @mike

    Since you are the one who introduced the comment, you might be the
    best person to comment on this.

    Cheers,
    Patrick
  • Michael Wallner at Nov 16, 2011 at 11:12 am

    On Tue, 15 Nov 2011 23:51:25 +0100, Patrick ALLAERT wrote:

    As per rfc6265, it seems incorrect:
    "Servers SHOULD NOT include more than one Set-Cookie header field in
    the same response with the same cookie-name."
    @mike

    Since you are the one who introduced the comment, you might be the best
    person to comment on this.
    If you set replace to 1 it would replace any Set-Cookie header, not
    necessarily the session cookie header.

    Mike
  • Ferenc Kovacs at Nov 16, 2011 at 11:30 am

    On Wed, Nov 16, 2011 at 12:12 PM, Michael Wallner wrote:
    On Tue, 15 Nov 2011 23:51:25 +0100, Patrick ALLAERT wrote:

    As per rfc6265, it seems incorrect:
    "Servers SHOULD NOT include more than one Set-Cookie header field in
    the same response with the same cookie-name."
    @mike

    Since you are the one who introduced the comment, you might be the best
    person to comment on this.
    If you set replace to 1 it would replace any Set-Cookie header, not
    necessarily the session cookie header.

    Mike

    if we fix that, I would like to see
    https://bugs.php.net/bug.php?id=38104(previously reported as
    https://bugs.php.net/bug.php?id=31455) fixed also.

    --
    Ferenc Kovács
    @Tyr43l - http://tyrael.hu
  • Ferenc Kovacs at Jan 9, 2012 at 11:48 am
    On Wed, Nov 16, 2011 at 12:30 PM, Ferenc Kovacs wrote:
    On Wed, Nov 16, 2011 at 12:12 PM, Michael Wallner wrote:
    On Tue, 15 Nov 2011 23:51:25 +0100, Patrick ALLAERT wrote:

    As per rfc6265, it seems incorrect:
    "Servers SHOULD NOT include more than one Set-Cookie header field in
    the same response with the same cookie-name."
    @mike

    Since you are the one who introduced the comment, you might be the best
    person to comment on this.
    If you set replace to 1 it would replace any Set-Cookie header, not
    necessarily the session cookie header.

    Mike

    if we fix that, I would like to see https://bugs.php.net/bug.php?id=38104(previously reported as
    https://bugs.php.net/bug.php?id=31455) fixed also.

    --
    Ferenc Kovács
    @Tyr43l - http://tyrael.hu
    bump.

    --
    Ferenc Kovács
    @Tyr43l - http://tyrael.hu
  • Yasuo Ohgaki at Jan 20, 2012 at 3:31 am
    Hi Stats,

    Even if this bug is marked as bogus in bug DB, I think this bug needed
    to be fixed for 5.4.

    https://bugs.php.net/bug.php?id=38104

    It seems this bug causes problem with IE that not keeping session correctly.

    From RFC 6250
    -------------
    Servers SHOULD NOT include more than one Set-Cookie header field in
    the same response with the same cookie-name. (See Section 5.2 for
    how user agents handle this case.)
    -------------
    http://datatracker.ietf.org/doc/rfc6265/?include_text=1

    It seems IE conform this standard.

    According to svn log, it seems it was not fixed.
    Anyone working with this issue? or already fixed?
    I'm just curious.

    Regards,

    --
    Yasuo Ohgaki
    yohgaki@ohgaki.net



    2012/1/9 Ferenc Kovacs <tyra3l@gmail.com>:
    On Wed, Nov 16, 2011 at 12:30 PM, Ferenc Kovacs wrote:


    On Wed, Nov 16, 2011 at 12:12 PM, Michael Wallner wrote:
    On Tue, 15 Nov 2011 23:51:25 +0100, Patrick ALLAERT wrote:

    As per rfc6265, it seems incorrect:
    "Servers SHOULD NOT include more than one Set-Cookie header field in
    the same response with the same cookie-name."
    @mike

    Since you are the one who introduced the comment, you might be the best
    person to comment on this.
    If you set replace to 1 it would replace any Set-Cookie header, not
    necessarily the session cookie header.

    Mike

    if we fix that, I would like to see https://bugs.php.net/bug.php?id=38104(previously reported as
    https://bugs.php.net/bug.php?id=31455) fixed also.

    --
    Ferenc Kovács
    @Tyr43l - http://tyrael.hu
    bump.

    --
    Ferenc Kovács
    @Tyr43l - http://tyrael.hu
  • Stas Malyshev at Jan 20, 2012 at 6:45 am
    Hi!
    Even if this bug is marked as bogus in bug DB, I think this bug needed
    to be fixed for 5.4.

    https://bugs.php.net/bug.php?id=38104

    It seems this bug causes problem with IE that not keeping session correctly.
    It looks like pretty rare scenario and doesn't seem to require any core
    changes to fix, so I think we can do it in 5.4.1.
    --
    Stanislav Malyshev, Software Architect
    SugarCRM: http://www.sugarcrm.com/
    (408)454-6900 ext. 227

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-internals @
categoriesphp
postedNov 15, '11 at 10:09p
activeJan 20, '12 at 6:45a
posts8
users6
websitephp.net

6 users in discussion

Ferenc Kovacs: 2 posts Patrick ALLAERT: 2 posts Michael Wallner: 1 post Yasuo Ohgaki: 1 post Stas Malyshev: 1 post Paul Dragoonis: 1 post

Content

People

Support

Translate

site design / logo © 2022 Grokbase