From: aaron at istockphoto dot com
Operating system: Slackware 9.1.0
PHP version: 4.3.10
PHP Bug Type: Session related
Bug description: setting cookie value to '' results in cookie value of
'deleted'
Description:
------------
This is related to the issue that was reported in Bug
#25629 "session cookie being set to deleted when
deleting a session" for version 4.3.1. I was not sure if
I should try to re-open the old bug or submit a new one.
My apologies.
The problem is not with the session code, but is a side
affect of the behavior of setcookie().
Following the example provided in the manual entries for
session_destroy() and setcookie(), the value of the
session cookie is not set to '' (empty string) as
expected, but is set to 'deleted' instead. This
shouldn't be an issue, except that if the client
computers date is incorrectly set in the distant past
(not uncommon) then the cookie will not be removed from
the browser and will be used passed in the next request
as "deleted".
Within 24 hours of adding the the
"setcookie('PHPSESSID', '', time() - 172800, '/',
'.foo.bar')" line to our logout procedure we discovered
that perhaps 40 visitors had shared the same session
data. A a major security issue to be sure. We hacked our
session handler object to not accept 'deleted' as a
session ID.
Either PHP should be updated to set the value of the
cookie to an empty string as the setcookie() command
insinuates it will be, or the manual entries for
session_destroy(), setcookie(), and
session_set_save_handler() should be updated to explain
the current behavior.
Thank you :)
Headers sent in request response to illustrate actual
values of cookies:
HTTP/1.1 302 Found
Date: Thu, 30 Jun 2005 15:30:12 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_ssl/2.8.22
OpenSSL/0.9.7d
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate,
post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=deleted; expires=Wed, 30-Jun
-04 15:30:11 GMT; path=/; domain=.foo.bar
Set-Cookie: somecookie=deleted; expires=Wed, 30-Jun
-04 15:41:00 GMT; path=/; domain=.foo.bar
location: /index.php
Transfer-Encoding: chunked
Content-Type: text/html
Reproduce code:
---------------
Source code:
session_start();
setcookie('PHPSESSID', '', time() - 172800, '/', '.foo.bar');
setcookie('somecookie', '', time() - 172800, '/', '.foo.bar');
$_SESSION = array();
session_destroy();
header('location: /index.php');
Expected result:
----------------
The value of PHPSESSID cookie (or any other cooke) would
be set to '' (empty string)
Actual result:
--------------
The value of PHPSESSID cookie (or any other cooke) is
set to 'deleted' resulting in many users sharing the
same session ID.
--
Edit bug report at http://bugs.php.net/?id=33526&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=33526&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=33526&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=33526&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=33526&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=33526&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=33526&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=33526&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=33526&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=33526&r=support
Expected behavior: http://bugs.php.net/fix.php?id=33526&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=33526&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=33526&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=33526&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=33526&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=33526&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=33526&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=33526&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=33526&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=33526&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=33526&r=mysqlcfg
