Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:56336 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 34477 invoked from network); 15 Nov 2011 22:51:30 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Nov 2011 22:51:30 -0000 Authentication-Results: pb1.pair.com header.from=patrick.allaert@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=patrick.allaert@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.214.42 as permitted sender) X-PHP-List-Original-Sender: patrick.allaert@gmail.com X-Host-Fingerprint: 209.85.214.42 mail-bw0-f42.google.com Received: from [209.85.214.42] ([209.85.214.42:40317] helo=mail-bw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 49/22-24592-0FCE2CE4 for ; Tue, 15 Nov 2011 17:51:29 -0500 Received: by bkbzt4 with SMTP id zt4so8385832bkb.29 for ; Tue, 15 Nov 2011 14:51:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=BEYzS1vFo0NV+DAymAAXvWTfxnV569e2mredEfsvilg=; b=poRXh/DE76yVgmdVwY0VaHbFAz75SORKn9MTJWaxD3yuzzanbFD7I4h/mZSuNdWIE5 5hsahiQ+aYEnWF7c9yOtjL0K13v/mY90QbLhioH6n/No5NX+mbZxalIYJLjbO0vZLFFG HDNJ03UORe0llaZkKWI08UudcdWnI1okzG4Nw= MIME-Version: 1.0 Received: by 10.204.154.89 with SMTP id n25mr16354509bkw.75.1321397485181; Tue, 15 Nov 2011 14:51:25 -0800 (PST) Sender: patrick.allaert@gmail.com Received: by 10.223.95.205 with HTTP; Tue, 15 Nov 2011 14:51:25 -0800 (PST) In-Reply-To: References: Date: Tue, 15 Nov 2011 23:51:25 +0100 X-Google-Sender-Auth: fGpjQ2Wn9hRJUWjXQEJQXTFS-DQ Message-ID: To: Paul Dragoonis Cc: PHP Development , mike@php.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] session_regenerate_id() not replacing Set-Cookie header From: patrickallaert@php.net (Patrick ALLAERT) 2011/11/15 Paul Dragoonis : > On Tue, Nov 15, 2011 at 10:09 PM, Patrick ALLAERT > wrote: >> Hello, >> >> Calling session_regenerate_id() inside a same request will generate >> multiple Set-Cookie headers >> >> example code: >> > session_start(); >> session_regenerate_id(); >> session_regenerate_id(); >> ?> >> >> will result in, e.g.: >> Set-Cookie: PHPSESSID=3Dd8afvidkqp9jd4kns8ij976o72; path=3D/ >> Set-Cookie: PHPSESSID=3Dlkjla7kvotnfhutb43llcirj61; path=3D/ >> >> As per rfc6265, it seems incorrect: >> "Servers SHOULD NOT include more than one Set-Cookie header field in >> the same response with the same cookie-name." >> >> And is causing errors on some Blackberry and IE8: >> http://anvilstudios.co.za/blog/php/session-cookies-faulty-in-ie8/ >> http://supportforums.blackberry.com/t5/Web-and-WebWorks-Development/HTTP= S-and-php-session-regenerate-id/m-p/125562 >> >> It looks like the culprit is in ext/session/session.c: >> /* 'replace' must be 0 here, else a previous Set-Cookie >> =C2=A0header, probably sent with setcookie() will be replaced! */ >> sapi_add_header_ex(ncookie.c, ncookie.len, 0, 0 TSRMLS_CC); >> where 'replace' is intentionally set to 0 while everywhere else it is >> called with replace =3D 1 (or via sapi_add_header()) >> >> Can someone explain me why we intentionally have that behavior ? >> > > Patrick, I don't know the reason why this is, but if it's filed as a > bug then i'm happy to patch it!. Well, if that's a valid bug, I could have patched it myself, the thing is that it really looks intentional which makes me think it is not a bug. Hence I asked the question on internals before submitting a bug about it. @mike Since you are the one who introduced the comment, you might be the best person to comment on this. Cheers, Patrick