PHP creates two session ids when using strict mode
| Bug #66469 | PHP creates two session ids when using strict mode | ||||
|---|---|---|---|---|---|
| Submitted: | 2014-01-12 08:28 UTC | Modified: | 2014-01-22 05:00 UTC | ||
| From: | oz at zend dot com | Assigned: | yohgaki (profile) | ||
| Status: | Closed | Package: | Session related | ||
| PHP Version: | 5.5.8 | OS: | All | ||
| Private report: | No | CVE-ID: | None | ||
[2014-01-12 08:28 UTC] oz at zend dot com
Description:
------------
When you enable the strict mode and then you execute session_start() without supplying a PHPSESSID (using php-cgi, cli, or ApacheBench for example), PHP creates two session ids and returns two SetCookie headers with both session ids.
I believe the second session id can be avoided since PHP knows it just created the session id for the first time.
Test script:
---------------
<?php
ini_set("session.use_strict_mode", "1");
ini_set("session.save_handler", "files");
session_start();
?>
Expected result:
----------------
"
Set-Cookie: PHPSESSID=k6brqpp9rnh2ajo2tch4l68t84; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
"
Actual result:
--------------
"
Set-Cookie: PHPSESSID=k1hn6r22om8kiq60nq72hhsa52; path=/
Set-Cookie: PHPSESSID=k6brqpp9rnh2ajo2tch4l68t84; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html
"
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2014-01-17 03:37 UTC] yohgaki@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki
[2014-01-17 03:37 UTC] yohgaki@php.net
[2014-01-17 03:40 UTC] yohgaki@php.net
[2014-01-21 09:18 UTC] yohgaki@php.net
[2014-01-22 05:00 UTC] yohgaki@php.net