2011/11/15 Paul Dragoonis <dragoo...@gmail.com>: > On Tue, Nov 15, 2011 at 10:09 PM, Patrick ALLAERT > <patrickalla...@php.net> wrote: >> Hello, >> >> Calling session_regenerate_id() inside a same request will generate >> multiple Set-Cookie headers >> >> example code: >> <? >> session_start(); >> session_regenerate_id(); >> session_regenerate_id(); >> ?> >> >> will result in, e.g.: >> Set-Cookie: PHPSESSID=d8afvidkqp9jd4kns8ij976o72; path=/ >> Set-Cookie: PHPSESSID=lkjla7kvotnfhutb43llcirj61; path=/ >> >> As per rfc6265, it seems incorrect: >> "Servers SHOULD NOT include more than one Set-Cookie header field in >> the same response with the same cookie-name." >> >> And is causing errors on some Blackberry and IE8: >> http://anvilstudios.co.za/blog/php/session-cookies-faulty-in-ie8/ >> http://supportforums.blackberry.com/t5/Web-and-WebWorks-Development/HTTPS-and-php-session-regenerate-id/m-p/125562 >> >> It looks like the culprit is in ext/session/session.c: >> /* 'replace' must be 0 here, else a previous Set-Cookie >> header, probably sent with setcookie() will be replaced! */ >> sapi_add_header_ex(ncookie.c, ncookie.len, 0, 0 TSRMLS_CC); >> where 'replace' is intentionally set to 0 while everywhere else it is >> called with replace = 1 (or via sapi_add_header()) >> >> Can someone explain me why we intentionally have that behavior ? >> > > Patrick, I don't know the reason why this is, but if it's filed as a > bug then i'm happy to patch it!.
Well, if that's a valid bug, I could have patched it myself, the thing is that it really looks intentional which makes me think it is not a bug. Hence I asked the question on internals before submitting a bug about it. @mike Since you are the one who introduced the comment, you might be the best person to comment on this. Cheers, Patrick -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
