ID: 33868
Updated by: [EMAIL PROTECTED]
Reported By: wglynn at freedomhealthcare dot org
-Status: Open
+Status: Assigned
Bug Type: Session related
Operating System: Linux
PHP Version: 4.3.11
-Assigned To:
+Assigned To: sas
Previous Comments:
------------------------------------------------------------------------
[2005-07-26 17:28:48] wglynn at freedomhealthcare dot org
Description:
------------
After switching webservers (and upgrading PHP) over the weekend for an
internal application, our users began reporting that they were getting
logged out randomly. After triple-checking our code and web server
setup, we started digging through the PHP source, and eventually
discovered the issue.
In PHP 4.3.4 (and versions before and after 4.3.4), setting a nonzero
value of session.cookie_lifetime either via php.ini or
session_set_cookie_params() resulted in a cookie that expires a certain
number of seconds after the current page load. This has the net effect
of session.cookie_lifetime setting an inactivity timeout.
In PHP 4.3.11, session_start() sends Set-Cookie: once, with an
expiration time governed by session.cookie_lifetime. (I believe this
behavior changed for PHP 4.3.9.) So, if session.cookie_lifetime is 20
minutes, the cookie will expire and destroy the session 20 minutes
after login, regardless of any activity.
Bug #30232 attempted to change this behavior and got a patch committed,
but it was ripped out, saying that the behavior of setting the cookie
once is intentional and correct. I feel that this behavior is
completely wrong for cases where session.cookie_lifetime is nonzero;
there is no situation where sessions should expire a fixed time after
setting them, but many situations where sessions should expire a fixed
time after a call to session_start().
My proposed fix is to always send cookies if session.cookie_lifetime is
nonzero.
Reproduce code:
---------------
<?php
header('Refresh: 10');
session_set_cookie_params(15);
session_start();
if (!isset($_SESSION['i'])) {
$_SESSION['i'] = 1;
echo 'Started session.';
} else {
$_SESSION['i']++;
echo "Page load number {$_SESSION['i']}.";
}
Expected result:
----------------
"Page load number" should keep incrementing for as long as the browser
keeps refreshing the page within the cookie lifetime.
Actual result:
--------------
The cookie expires 15 seconds after the first page load, destroying the
session.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=33868&edit=1
