Hi all,
CGI SAPI is sending multiple set-ccokie headers when strict mode is on.
[yohgaki@dev test-php-script]$ php-cgi session-strict-mode.php
X-Powered-By: PHP/5.5.7
Set-Cookie: PHPSESSID=semtekrsf2l13svihttdgo4hg4; path=/
Set-Cookie: PHPSESSID=vkh55u82icdq80p3i4v3831kc2; path=/
while CLI server and Apache SAPI does not.
Current php_session_initialize() is
php_session_reset_id(TSRMLS_C);
PS(session_status) = php_session_active;
/* Read data */
php_session_track_init(TSRMLS_C);
if (PS(mod)->s_read(&PS(mod_data), PS(id), &val, &vallen TSRMLS_CC) ==
FAILURE) {
/* Some broken save handler implementation returns FAILURE for
non-existent session ID /
/ It's better to rase error for this, but disabled error for
better compatibility /
/
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Failed to read session
data: %s (path: %s)", PS(mod)->s_name, PS(save_path));
*/
}
I've coded above since I cannot change 3rd party session save handler's
code.
It is better to write as follows (and change PS(session_status) in session
read).
/* Read data */
php_session_track_init(TSRMLS_C);
if (PS(mod)->s_read(&PS(mod_data), PS(id), &val, &vallen TSRMLS_CC) ==
FAILURE) {
/* Some broken save handler implementation returns FAILURE for
non-existent session ID /
/ It's better to rase error for this, but disabled error for
better compatibility /
/
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Failed to read session
data: %s (path: %s)", PS(mod)->s_name, PS(save_path));
/
}
/ Set session ID if session read didn't activated session */
if (PS(session_status) != php_session_active) {
php_session_reset_id(TSRMLS_C);
PS(session_status) = php_session_active;
}
Session module code could be changed so that it will not try to set
multiple set-cookie headers and works with unmodified 3rd party save
handlers.
Alternatively, I suppose CGI SAPI could be changed, since CLI server and
Apache SAPI does not send multiple set-cookie headers.
There are many SAPIs, so I'm wondering which is the best way to fix this
issue.
Comments are appreciated. Thank you.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
There are many SAPIs, so I'm wondering which is the best way to fix this
issue.
Comments are appreciated. Thank you.
I've committed the fix for this problem in session module.
http://git.php.net/?p=php-src.git;a=commitdiff;h=167eaedcbdb494c87c4f83d2897a9fdb614e7062
It seems there are issues in SAPIs, but they should be fixed as different
issues.
P.S. I've pushed local pull-request branch by mistake with this commit.
May I delete it? I'll delete it later if there aren't any comments.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net