Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:28344
Return-Path: <sesser@hardened-php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17816 invoked by uid 1010); 15 Mar 2007 12:12:23 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 17801 invoked from network); 15 Mar 2007 12:12:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Mar 2007 12:12:23 -0000
Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.146.189 cause and error)
X-PHP-List-Original-Sender: sesser@hardened-php.net
X-Host-Fingerprint: 81.169.146.189 mo-p07-ob.rzone.de Solaris 10 (beta)
Received: from [81.169.146.189] ([81.169.146.189:64565] helo=mo-p07-ob.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DD/8B-24282-22839F54 for <internals@lists.php.net>; Thu, 15 Mar 2007 07:12:19 -0500
Received: from [192.168.1.77] (p5b006c1c.dip.t-dialin.net [91.0.108.28])
	by post.webmailer.de (klopstock mo10) (RZmta 5.1)
	with ESMTP id 706087j2FAtUzM ; Thu, 15 Mar 2007 13:12:15 +0100 (MET)
Message-ID: <45F9381F.3040708@hardened-php.net>
Date: Thu, 15 Mar 2007 13:12:15 +0100
User-Agent: Thunderbird 1.5.0.10 (Windows/20070221)
MIME-Version: 1.0
To:  RQuadling@GoogleMail.com
CC: internals <internals@lists.php.net>
References: <10845a340703140437q519bd232sc9b7dca53cef1e91@mail.gmail.com>
In-Reply-To: <10845a340703140437q519bd232sc9b7dca53cef1e91@mail.gmail.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-RZG-AUTH: z4gQVF2k7b92UJEMMe2/btTG
X-RZG-CLASS-ID: mo07
Subject: Re: [PHP-DEV] A request for code change : Repeated opening and closing
 the session leads to a LOT of Set-Cookie headers.
From: sesser@hardened-php.net (Stefan Esser)

Hello Richard,

your problem is a bug in the session extension.

My suggested but not tested workaround is that you simply call

ini_set("session.use_cookies", 0);

after the first time you call session_write_close(). This will stop the
session extension from sending further cookies during a single request.

Stefan Esser

Richard Quadling schrieb:
> Hi.
>
> I have a webapp which uses Ajax to initiate a process on the server
> which could take several minutes to complete and will go through many
> steps to before the task is finished.
>
> In that script, I update the session to indicate the current position
> of the process.
>
> When the user initiates the main process, another AJAX request is made
> which examines the state of the main process (via the session) and
> reports back to the client - keeps them interested. The user can also
> abort the process and closing the browser also triggers an abort.
>
> All works FINE in FF. In IE, I'm getting a "Page cannot be displayed"
> sort of errror (having to debug the response to see this). This SEEMS
> to relate to the fact that I am closing and opening the session in the
> first script as I want to keep the session file uptodate. The process
> script only has 1 output and that is the final result at the end of
> the script.
>
> I also tested this using a telnet connection to the webserver and sent
> the same headers that FireFox generated (captured via FireBub) and it
> bombed just before the data arrived (Lost connection).
>
> e.g.
>
> <?php
> function UpdateSession($s_Progress) {
> session_start();
> $_SESSION['Progress'] = $s_Progress;
> session_write_close();
> }
>
> //Stage 1
> UpdateSession('Loading preferences');
> ...
> //Stage 10
> UpdateSession('Report generated and is now available at <a href="' .
> MakeWebPath(realpath($s_PDFReport)) . '">here</a>.');
> echo rawurlencode(json_encode(array('SUCCESS' =>
> MakeWebPath(realpath($s_PDFReport)))));
> ?>
>
>
> As a consequence, I get ...
>
> Set-Cookie: PHPSESSID=uWPNRja2oT0PHPDCLqUiMzXiz1b; path=/
> Set-Cookie: PHPSESSID=uWPNRja2oT0PHPDCLqUiMzXiz1b; path=/
> Set-Cookie: PHPSESSID=uWPNRja2oT0PHPDCLqUiMzXiz1b; path=/
> ...
>
> LOTS of times followed by a "Page cannot be displayed". If I use
> Ethereal to examine the data, it is all there and is the same via IE
> and FF, it is just the IE doesn't like the REALLY long header.
>
> I accept this is normal behaviour and IE should "deal with it", but ...
>
> Is there any mileage in stopping session_start from sending the same
> header if it has already been sent? If the PHPSESSID is different,
> then fine, send it.
>
>> From looking at session.c and php_session.h, I think the following
> changes would suffice.
>
> 1 - The typedef struct _php_ps_globals {} needs to include ...
>
> char *prev_id;
>
>
> 2 - In PHP_GINIT_FUNCTION(ps) ...
>
> ps_globals->prev_id = NULL;
>
>
> 3 - In php_session_send_cookie(TSRMLS_D), do a comparison of prev_id
> and id (taking into account prev_id could be NULL) and if different,
> then allow the cookie to be set and to update prev_id with the id
> sent.
>
>
> Some other issues, if other parts of the cookie are altered, then
> maybe rather than just examining the ID, the entire cookie should be
> remembered.
>
>
> Assuming that the cookie would be identical, repeatedly sending it to
> the client when the session is repeatedly opened is a pain and I think
> can easily be fixed.
>
>
> Thank you for your time.
>
> Richard Quadling.
>
>
>