From: bnies at bluewin dot ch Operating system: Solaris 9 PHP version: 5.2.4 PHP Bug Type: Session related Bug description: PHP Cookie expiration
Description: ------------ I'm not sure if it has fixed in PHP 5.2.4 but the problem is there in PHP 5.2.2. If PHP terminates a session with session_unregister(); it sends these HTTP headers to the browser: Set-Cookie: SQMSESSID=deleted; expires=Thu, 09-Nov-2006 13:34:48 GMT; path=/ The 'expires' option is an old option proposed by Netscape. See RFC 2109. We stumbled across a session problem with a proxy software that ignores this 'expires' option and implemented only the new 'Max-Age=0' option. The expires=olddate is also bad, because one can never know what the time on the remote side is. What if it the remote system clock more than one year behind? Could it be a fix to send both cookie expire options to make sure a cookie gets really deleted: Set-Cookie: SQMSESSID=deleted; expires=Thu, 09-Nov-2006 13:34:48 GMT; path=/ Set-Cookie: SQMSESSID=deleted; Max-Age=0; path=/ The problem appeared with the proxy software that ignored cookie deletion and then sent the session cookie with value "deleted" to the application which then treatened the session ID "deleted" as valid session. See here for more details: https://sourceforge.net/tracker/index.php?func=detail&aid=1829025&group_id=311&atid=100311 Best Regards, Bernd Nies -- Edit bug report at http://bugs.php.net/?id=43226&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=43226&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=43226&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=43226&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=43226&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=43226&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=43226&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=43226&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=43226&r=needscript Try newer version: http://bugs.php.net/fix.php?id=43226&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=43226&r=support Expected behavior: http://bugs.php.net/fix.php?id=43226&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=43226&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=43226&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=43226&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43226&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=43226&r=dst IIS Stability: http://bugs.php.net/fix.php?id=43226&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=43226&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=43226&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=43226&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=43226&r=mysqlcfg
