From: dziugas at gmail dot com Operating system: Linux Redhat PHP version: 4.3.10 PHP Bug Type: Session related Bug description: Disabling session.use_cookies doesn't prevent reading session cookies
Description: ------------ If configuration directive session.use_cookies is set to 0 (or Off), cookies aren't sent to the browser anymore, but however if browser sends a previously received cookie within a request, PHP tries to use it for session id. This is the problem in WAP deployments where number of mobile phone browsers sends a Cookie in the form of: Cookie: PHPSESSID="xxx, PHPSESSID=xxx" (as denoted in http://bugs.php.net/bug.php?id=32111) This makes PHP to produce a warning: PHP Warning: Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0 Reproduce code: --------------- session_set_cookie_params(3600); session_start(); var_dump(session_id()); Add ini_set('session.use_cookies', true); in the first request and ini_set('session.use_cookies', false); in the secodn. Expected result: ---------------- After the second request, session ID (as returned by session_id()) should not be same as after the first request. Actual result: -------------- The value returned by session_id() is the same within the first and second requests. I think that session.use_cookies is disabled, there should be no checking if the browser sends the cookie having the same name as session_name(). -- Edit bug report at http://bugs.php.net/?id=32944&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=32944&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=32944&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=32944&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=32944&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=32944&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=32944&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=32944&r=needscript Try newer version: http://bugs.php.net/fix.php?id=32944&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=32944&r=support Expected behavior: http://bugs.php.net/fix.php?id=32944&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=32944&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=32944&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=32944&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=32944&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=32944&r=dst IIS Stability: http://bugs.php.net/fix.php?id=32944&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=32944&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=32944&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=32944&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=32944&r=mysqlcfg