Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56333 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 17852 invoked from network); 15 Nov 2011 22:09:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Nov 2011 22:09:36 -0000 Authentication-Results: pb1.pair.com header.from=patrick.allaert@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=patrick.allaert@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.42 as permitted sender) X-PHP-List-Original-Sender: patrick.allaert@gmail.com X-Host-Fingerprint: 209.85.214.42 mail-bw0-f42.google.com Received: from [209.85.214.42] ([209.85.214.42:45414] helo=mail-bw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F7/D3-31241-E13E2CE4 for ; Tue, 15 Nov 2011 17:09:35 -0500 Received: by bkbzt4 with SMTP id zt4so8349241bkb.29 for ; Tue, 15 Nov 2011 14:09:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=/ebdMlIdmKH2/GyQHW7NpwBlHlDE3tjdR1YXzZwpP7w=; b=D03S187Zrtoj9klKXGcZL0xtRxFuc0l7DtKjwAotYJHQevnVXcOGf3r2C0tc+nG9qM a0NYbXhWvlVgx8weqiuk9wD3uXUOtJ8MmTaC+ZVzYUraAqk5wBJ796ZBSdmTe6Vh1T4J 7MbWw5xyZbEVt+r1XH/ERhgKGKGuTMtmXczE4= MIME-Version: 1.0 Received: by 10.205.120.20 with SMTP id fw20mr26314983bkc.39.1321394971353; Tue, 15 Nov 2011 14:09:31 -0800 (PST) Sender: patrick.allaert@gmail.com Received: by 10.223.95.205 with HTTP; Tue, 15 Nov 2011 14:09:31 -0800 (PST) Date: Tue, 15 Nov 2011 23:09:31 +0100 X-Google-Sender-Auth: bWPttzmdz_Z0c_B5QyNHjTILgRM Message-ID: To: PHP Development Cc: mike@php.net Content-Type: text/plain; charset=UTF-8 Subject: session_regenerate_id() not replacing Set-Cookie header From: patrickallaert@php.net (Patrick ALLAERT) Hello, Calling session_regenerate_id() inside a same request will generate multiple Set-Cookie headers example code: will result in, e.g.: Set-Cookie: PHPSESSID=d8afvidkqp9jd4kns8ij976o72; path=/ Set-Cookie: PHPSESSID=lkjla7kvotnfhutb43llcirj61; path=/ As per rfc6265, it seems incorrect: "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name." And is causing errors on some Blackberry and IE8: http://anvilstudios.co.za/blog/php/session-cookies-faulty-in-ie8/ http://supportforums.blackberry.com/t5/Web-and-WebWorks-Development/HTTPS-and-php-session-regenerate-id/m-p/125562 It looks like the culprit is in ext/session/session.c: /* 'replace' must be 0 here, else a previous Set-Cookie header, probably sent with setcookie() will be replaced! */ sapi_add_header_ex(ncookie.c, ncookie.len, 0, 0 TSRMLS_CC); where 'replace' is intentionally set to 0 while everywhere else it is called with replace = 1 (or via sapi_add_header()) Can someone explain me why we intentionally have that behavior ? Cheers, Patrick