Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:56334
Return-Path: <dragoonis@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20405 invoked from network); 15 Nov 2011 22:13:07 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 Nov 2011 22:13:07 -0000
Authentication-Results: pb1.pair.com header.from=dragoonis@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=dragoonis@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.42 as permitted sender)
X-PHP-List-Original-Sender: dragoonis@gmail.com
X-Host-Fingerprint: 209.85.212.42 mail-vw0-f42.google.com  
Received: from [209.85.212.42] ([209.85.212.42:35570] helo=mail-vw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 14/74-31241-3F3E2CE4 for <internals@lists.php.net>; Tue, 15 Nov 2011 17:13:07 -0500
Received: by vws18 with SMTP id 18so803305vws.29
        for <internals@lists.php.net>; Tue, 15 Nov 2011 14:13:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type:content-transfer-encoding;
        bh=wtgX+WoL77UUVdq6vk/y0OTSh5R0F71uro6sCAlt4eg=;
        b=lhNDJJ6LDGu+LdscldJ+xJpWai23H5AVOIvPXUucurTDm2CnN/n8vxGbQ9x6Di8qkj
         lPe+8XVhWzzY6gVoA6JPqUffNYSWEcUJthbUYan+IvWvVHn++9etFPoMT/ePA+DQy4TA
         +EED1LI/Gp617iF79n2vrY/ubhGF/LSyd8JAw=
MIME-Version: 1.0
Received: by 10.224.176.5 with SMTP id bc5mr18956376qab.52.1321395182559; Tue,
 15 Nov 2011 14:13:02 -0800 (PST)
Received: by 10.229.80.198 with HTTP; Tue, 15 Nov 2011 14:13:02 -0800 (PST)
In-Reply-To: <CACwt+Jczb7DeptyJ=KT_-2CaCrL0ALhiv5VF_7jpKXuth2CXgQ@mail.gmail.com>
References: <CACwt+Jczb7DeptyJ=KT_-2CaCrL0ALhiv5VF_7jpKXuth2CXgQ@mail.gmail.com>
Date: Tue, 15 Nov 2011 22:13:02 +0000
Message-ID: <CAKxcST_Cw8CQ-5g3Egeb7GfkzLauA8i0N6u3JW8RURkYXk-NEA@mail.gmail.com>
To: Patrick ALLAERT <patrickallaert@php.net>
Cc: PHP Development <internals@lists.php.net>, mike@php.net
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] session_regenerate_id() not replacing Set-Cookie header
From: dragoonis@gmail.com (Paul Dragoonis)

On Tue, Nov 15, 2011 at 10:09 PM, Patrick ALLAERT
<patrickallaert@php.net> wrote:
> Hello,
>
> Calling session_regenerate_id() inside a same request will generate
> multiple Set-Cookie headers
>
> example code:
> <?
> session_start();
> session_regenerate_id();
> session_regenerate_id();
> ?>
>
> will result in, e.g.:
> Set-Cookie: PHPSESSID=3Dd8afvidkqp9jd4kns8ij976o72; path=3D/
> Set-Cookie: PHPSESSID=3Dlkjla7kvotnfhutb43llcirj61; path=3D/
>
> As per rfc6265, it seems incorrect:
> "Servers SHOULD NOT include more than one Set-Cookie header field in
> the same response with the same cookie-name."
>
> And is causing errors on some Blackberry and IE8:
> http://anvilstudios.co.za/blog/php/session-cookies-faulty-in-ie8/
> http://supportforums.blackberry.com/t5/Web-and-WebWorks-Development/HTTPS=
-and-php-session-regenerate-id/m-p/125562
>
> It looks like the culprit is in ext/session/session.c:
> /* 'replace' must be 0 here, else a previous Set-Cookie
> =A0header, probably sent with setcookie() will be replaced! */
> sapi_add_header_ex(ncookie.c, ncookie.len, 0, 0 TSRMLS_CC);
> where 'replace' is intentionally set to 0 while everywhere else it is
> called with replace =3D 1 (or via sapi_add_header())
>
> Can someone explain me why we intentionally have that behavior ?
>

Patrick, I don't know the reason why this is, but if it's filed as a
bug then i'm happy to patch it!.
- Paul.

> Cheers,
> Patrick
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>