Hello, Calling session_regenerate_id() inside a same request will generate multiple Set-Cookie headers
example code: <? session_start(); session_regenerate_id(); session_regenerate_id(); ?> will result in, e.g.: Set-Cookie: PHPSESSID=d8afvidkqp9jd4kns8ij976o72; path=/ Set-Cookie: PHPSESSID=lkjla7kvotnfhutb43llcirj61; path=/ As per rfc6265, it seems incorrect: "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name." And is causing errors on some Blackberry and IE8: http://anvilstudios.co.za/blog/php/session-cookies-faulty-in-ie8/ http://supportforums.blackberry.com/t5/Web-and-WebWorks-Development/HTTPS-and-php-session-regenerate-id/m-p/125562 It looks like the culprit is in ext/session/session.c: /* 'replace' must be 0 here, else a previous Set-Cookie header, probably sent with setcookie() will be replaced! */ sapi_add_header_ex(ncookie.c, ncookie.len, 0, 0 TSRMLS_CC); where 'replace' is intentionally set to 0 while everywhere else it is called with replace = 1 (or via sapi_add_header()) Can someone explain me why we intentionally have that behavior ? Cheers, Patrick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
