ID: 33868 Updated by: [EMAIL PROTECTED] Reported By: wglynn at freedomhealthcare dot org -Status: Open +Status: Assigned Bug Type: Session related Operating System: Linux PHP Version: 4.3.11 -Assigned To: +Assigned To: sas
Previous Comments: ------------------------------------------------------------------------ [2005-07-26 17:28:48] wglynn at freedomhealthcare dot org Description: ------------ After switching webservers (and upgrading PHP) over the weekend for an internal application, our users began reporting that they were getting logged out randomly. After triple-checking our code and web server setup, we started digging through the PHP source, and eventually discovered the issue. In PHP 4.3.4 (and versions before and after 4.3.4), setting a nonzero value of session.cookie_lifetime either via php.ini or session_set_cookie_params() resulted in a cookie that expires a certain number of seconds after the current page load. This has the net effect of session.cookie_lifetime setting an inactivity timeout. In PHP 4.3.11, session_start() sends Set-Cookie: once, with an expiration time governed by session.cookie_lifetime. (I believe this behavior changed for PHP 4.3.9.) So, if session.cookie_lifetime is 20 minutes, the cookie will expire and destroy the session 20 minutes after login, regardless of any activity. Bug #30232 attempted to change this behavior and got a patch committed, but it was ripped out, saying that the behavior of setting the cookie once is intentional and correct. I feel that this behavior is completely wrong for cases where session.cookie_lifetime is nonzero; there is no situation where sessions should expire a fixed time after setting them, but many situations where sessions should expire a fixed time after a call to session_start(). My proposed fix is to always send cookies if session.cookie_lifetime is nonzero. Reproduce code: --------------- <?php header('Refresh: 10'); session_set_cookie_params(15); session_start(); if (!isset($_SESSION['i'])) { $_SESSION['i'] = 1; echo 'Started session.'; } else { $_SESSION['i']++; echo "Page load number {$_SESSION['i']}."; } Expected result: ---------------- "Page load number" should keep incrementing for as long as the browser keeps refreshing the page within the cookie lifetime. Actual result: -------------- The cookie expires 15 seconds after the first page load, destroying the session. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33868&edit=1