#33868 [NEW]: Session cookies are set only once
From: wglynn at freedomhealthcare dot org
Operating system: Linux
PHP version: 4.3.11
PHP Bug Type: Session related
Bug description: Session cookies are set only once
Description:
After switching webservers (and upgrading PHP) over the weekend for an
internal application, our users began reporting that they were getting
logged out randomly. After triple-checking our code and web server setup,
we started digging through the PHP source, and eventually discovered the
issue.
In PHP 4.3.4 (and versions before and after 4.3.4), setting a nonzero
value of session.cookie_lifetime either via php.ini or
session_set_cookie_params() resulted in a cookie that expires a certain
number of seconds after the current page load. This has the net effect of
session.cookie_lifetime setting an inactivity timeout.
In PHP 4.3.11, session_start() sends Set-Cookie: once, with an expiration
time governed by session.cookie_lifetime. (I believe this behavior changed
for PHP 4.3.9.) So, if session.cookie_lifetime is 20 minutes, the cookie
will expire and destroy the session 20 minutes after login, regardless of
any activity.
Bug #30232 attempted to change this behavior and got a patch committed,
but it was ripped out, saying that the behavior of setting the cookie once
is intentional and correct. I feel that this behavior is completely wrong
for cases where session.cookie_lifetime is nonzero; there is no situation
where sessions should expire a fixed time after setting them, but many
situations where sessions should expire a fixed time after a call to
session_start().
My proposed fix is to always send cookies if session.cookie_lifetime is
nonzero.
Reproduce code:
---
?php
header('Refresh: 10');
session_set_cookie_params(15);
session_start();
if (!isset($_SESSION['i'])) {
$_SESSION['i'] = 1;
echo 'Started session.';
} else {
$_SESSION['i']++;
echo Page load number {$_SESSION['i']}.;
}
Expected result:
Page load number should keep incrementing for as long as the browser
keeps refreshing the page within the cookie lifetime.
Actual result:
--
The cookie expires 15 seconds after the first page load, destroying the
session.
--
Edit bug report at http://bugs.php.net/?id=33868edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=33868r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=33868r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=33868r=trysnapshot51
Fixed in CVS:http://bugs.php.net/fix.php?id=33868r=fixedcvs
Fixed in release:http://bugs.php.net/fix.php?id=33868r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=33868r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=33868r=needscript
Try newer version: http://bugs.php.net/fix.php?id=33868r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=33868r=support
Expected behavior: http://bugs.php.net/fix.php?id=33868r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=33868r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=33868r=submittedtwice
register_globals:http://bugs.php.net/fix.php?id=33868r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=33868r=php3
Daylight Savings:http://bugs.php.net/fix.php?id=33868r=dst
IIS Stability: http://bugs.php.net/fix.php?id=33868r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=33868r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=33868r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=33868r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=33868r=mysqlcfg
#33868 [Bgs]: Session cookies are set only once
ID: 33868
User updated by: wglynn at freedomhealthcare dot org
Reported By: wglynn at freedomhealthcare dot org
Status: Bogus
Bug Type: Session related
Operating System: Linux
PHP Version: 4.3.11
Assigned To: sas
New Comment:
I am aware that session.gc_maxlifetime can have a similar effect,
however:
1. session.cookie_lifetime gives a much finer degree of control over
the duration of the session, as different lifetimes can be assigned
based on user-specified criteria (i.e. inside hosts get one timeout,
outside hosts get another)
2. This is a deviation from earlier behavior that was not documented in
the master ChangeLog
3. This change of behavior provides no benefit for non-zero values of
session.cookie_lifetime and breaks existing software that expects
session_start() to reset the cookie expiration
4. If the new behavior is desired (for whatever reason), it can be
synthesized under the old behavior. The opposite is not true.
As I see it, the bottom line is that having session_start() send a
cookie only when the browser did not supply one reduces functionality,
breaks some existing software, and helps nothing when cookie_lifetime
is nonzero. Changing this behavior back would be trivial, and would
give a tangible benefit.
Previous Comments:
[2005-07-26 20:37:24] [EMAIL PROTECTED]
You've got confused with session maxlife and cookie max life.
There's no bug here.
[2005-07-26 17:28:48] wglynn at freedomhealthcare dot org
Description:
After switching webservers (and upgrading PHP) over the weekend for an
internal application, our users began reporting that they were getting
logged out randomly. After triple-checking our code and web server
setup, we started digging through the PHP source, and eventually
discovered the issue.
In PHP 4.3.4 (and versions before and after 4.3.4), setting a nonzero
value of session.cookie_lifetime either via php.ini or
session_set_cookie_params() resulted in a cookie that expires a certain
number of seconds after the current page load. This has the net effect
of session.cookie_lifetime setting an inactivity timeout.
In PHP 4.3.11, session_start() sends Set-Cookie: once, with an
expiration time governed by session.cookie_lifetime. (I believe this
behavior changed for PHP 4.3.9.) So, if session.cookie_lifetime is 20
minutes, the cookie will expire and destroy the session 20 minutes
after login, regardless of any activity.
Bug #30232 attempted to change this behavior and got a patch committed,
but it was ripped out, saying that the behavior of setting the cookie
once is intentional and correct. I feel that this behavior is
completely wrong for cases where session.cookie_lifetime is nonzero;
there is no situation where sessions should expire a fixed time after
setting them, but many situations where sessions should expire a fixed
time after a call to session_start().
My proposed fix is to always send cookies if session.cookie_lifetime is
nonzero.
Reproduce code:
---
?php
header('Refresh: 10');
session_set_cookie_params(15);
session_start();
if (!isset($_SESSION['i'])) {
$_SESSION['i'] = 1;
echo 'Started session.';
} else {
$_SESSION['i']++;
echo Page load number {$_SESSION['i']}.;
}
Expected result:
Page load number should keep incrementing for as long as the browser
keeps refreshing the page within the cookie lifetime.
Actual result:
--
The cookie expires 15 seconds after the first page load, destroying the
session.
--
Edit this bug report at http://bugs.php.net/?id=33868edit=1
