#33868 [NEW]: Session cookies are set only once
From: wglynn at freedomhealthcare dot org Operating system: Linux PHP version: 4.3.11 PHP Bug Type: Session related Bug description: Session cookies are set only once Description: After switching webservers (and upgrading PHP) over the weekend for an internal application, our users began reporting that they were getting logged out randomly. After triple-checking our code and web server setup, we started digging through the PHP source, and eventually discovered the issue. In PHP 4.3.4 (and versions before and after 4.3.4), setting a nonzero value of session.cookie_lifetime either via php.ini or session_set_cookie_params() resulted in a cookie that expires a certain number of seconds after the current page load. This has the net effect of session.cookie_lifetime setting an inactivity timeout. In PHP 4.3.11, session_start() sends Set-Cookie: once, with an expiration time governed by session.cookie_lifetime. (I believe this behavior changed for PHP 4.3.9.) So, if session.cookie_lifetime is 20 minutes, the cookie will expire and destroy the session 20 minutes after login, regardless of any activity. Bug #30232 attempted to change this behavior and got a patch committed, but it was ripped out, saying that the behavior of setting the cookie once is intentional and correct. I feel that this behavior is completely wrong for cases where session.cookie_lifetime is nonzero; there is no situation where sessions should expire a fixed time after setting them, but many situations where sessions should expire a fixed time after a call to session_start(). My proposed fix is to always send cookies if session.cookie_lifetime is nonzero. Reproduce code: --- ?php header('Refresh: 10'); session_set_cookie_params(15); session_start(); if (!isset($_SESSION['i'])) { $_SESSION['i'] = 1; echo 'Started session.'; } else { $_SESSION['i']++; echo Page load number {$_SESSION['i']}.; } Expected result: Page load number should keep incrementing for as long as the browser keeps refreshing the page within the cookie lifetime. Actual result: -- The cookie expires 15 seconds after the first page load, destroying the session. -- Edit bug report at http://bugs.php.net/?id=33868edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=33868r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=33868r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=33868r=trysnapshot51 Fixed in CVS:http://bugs.php.net/fix.php?id=33868r=fixedcvs Fixed in release:http://bugs.php.net/fix.php?id=33868r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=33868r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=33868r=needscript Try newer version: http://bugs.php.net/fix.php?id=33868r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=33868r=support Expected behavior: http://bugs.php.net/fix.php?id=33868r=notwrong Not enough info: http://bugs.php.net/fix.php?id=33868r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=33868r=submittedtwice register_globals:http://bugs.php.net/fix.php?id=33868r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=33868r=php3 Daylight Savings:http://bugs.php.net/fix.php?id=33868r=dst IIS Stability: http://bugs.php.net/fix.php?id=33868r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=33868r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=33868r=float No Zend Extensions: http://bugs.php.net/fix.php?id=33868r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=33868r=mysqlcfg
#33868 [Bgs]: Session cookies are set only once
ID: 33868 User updated by: wglynn at freedomhealthcare dot org Reported By: wglynn at freedomhealthcare dot org Status: Bogus Bug Type: Session related Operating System: Linux PHP Version: 4.3.11 Assigned To: sas New Comment: I am aware that session.gc_maxlifetime can have a similar effect, however: 1. session.cookie_lifetime gives a much finer degree of control over the duration of the session, as different lifetimes can be assigned based on user-specified criteria (i.e. inside hosts get one timeout, outside hosts get another) 2. This is a deviation from earlier behavior that was not documented in the master ChangeLog 3. This change of behavior provides no benefit for non-zero values of session.cookie_lifetime and breaks existing software that expects session_start() to reset the cookie expiration 4. If the new behavior is desired (for whatever reason), it can be synthesized under the old behavior. The opposite is not true. As I see it, the bottom line is that having session_start() send a cookie only when the browser did not supply one reduces functionality, breaks some existing software, and helps nothing when cookie_lifetime is nonzero. Changing this behavior back would be trivial, and would give a tangible benefit. Previous Comments: [2005-07-26 20:37:24] [EMAIL PROTECTED] You've got confused with session maxlife and cookie max life. There's no bug here. [2005-07-26 17:28:48] wglynn at freedomhealthcare dot org Description: After switching webservers (and upgrading PHP) over the weekend for an internal application, our users began reporting that they were getting logged out randomly. After triple-checking our code and web server setup, we started digging through the PHP source, and eventually discovered the issue. In PHP 4.3.4 (and versions before and after 4.3.4), setting a nonzero value of session.cookie_lifetime either via php.ini or session_set_cookie_params() resulted in a cookie that expires a certain number of seconds after the current page load. This has the net effect of session.cookie_lifetime setting an inactivity timeout. In PHP 4.3.11, session_start() sends Set-Cookie: once, with an expiration time governed by session.cookie_lifetime. (I believe this behavior changed for PHP 4.3.9.) So, if session.cookie_lifetime is 20 minutes, the cookie will expire and destroy the session 20 minutes after login, regardless of any activity. Bug #30232 attempted to change this behavior and got a patch committed, but it was ripped out, saying that the behavior of setting the cookie once is intentional and correct. I feel that this behavior is completely wrong for cases where session.cookie_lifetime is nonzero; there is no situation where sessions should expire a fixed time after setting them, but many situations where sessions should expire a fixed time after a call to session_start(). My proposed fix is to always send cookies if session.cookie_lifetime is nonzero. Reproduce code: --- ?php header('Refresh: 10'); session_set_cookie_params(15); session_start(); if (!isset($_SESSION['i'])) { $_SESSION['i'] = 1; echo 'Started session.'; } else { $_SESSION['i']++; echo Page load number {$_SESSION['i']}.; } Expected result: Page load number should keep incrementing for as long as the browser keeps refreshing the page within the cookie lifetime. Actual result: -- The cookie expires 15 seconds after the first page load, destroying the session. -- Edit this bug report at http://bugs.php.net/?id=33868edit=1