On Tue, Nov 15, 2011 at 10:09 PM, Patrick ALLAERT <patrickalla...@php.net> wrote: > Hello, > > Calling session_regenerate_id() inside a same request will generate > multiple Set-Cookie headers > > example code: > <? > session_start(); > session_regenerate_id(); > session_regenerate_id(); > ?> > > will result in, e.g.: > Set-Cookie: PHPSESSID=d8afvidkqp9jd4kns8ij976o72; path=/ > Set-Cookie: PHPSESSID=lkjla7kvotnfhutb43llcirj61; path=/ > > As per rfc6265, it seems incorrect: > "Servers SHOULD NOT include more than one Set-Cookie header field in > the same response with the same cookie-name." > > And is causing errors on some Blackberry and IE8: > http://anvilstudios.co.za/blog/php/session-cookies-faulty-in-ie8/ > http://supportforums.blackberry.com/t5/Web-and-WebWorks-Development/HTTPS-and-php-session-regenerate-id/m-p/125562 > > It looks like the culprit is in ext/session/session.c: > /* 'replace' must be 0 here, else a previous Set-Cookie > header, probably sent with setcookie() will be replaced! */ > sapi_add_header_ex(ncookie.c, ncookie.len, 0, 0 TSRMLS_CC); > where 'replace' is intentionally set to 0 while everywhere else it is > called with replace = 1 (or via sapi_add_header()) > > Can someone explain me why we intentionally have that behavior ? >
Patrick, I don't know the reason why this is, but if it's filed as a bug then i'm happy to patch it!. - Paul. > Cheers, > Patrick > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
